Linux Analysis Report
yakuza.arm6.elf

Overview

General Information

Sample name: yakuza.arm6.elf
Analysis ID: 1561404
MD5: 71187117520741c397ab754334df6d7b
SHA1: 51b26b230a74735dd5b332b0117458a88b20d016
SHA256: 8a19a98181b3f0ec087eb0d81ed85064f9f6009c77a929c0c9d738d9d58e0561
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "rm" command used to delete files or directories
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yakuza.arm6.elf ReversingLabs: Detection: 60%
Source: yakuza.arm6.elf Virustotal: Detection: 52% Perma Link
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6287) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6310) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6314) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6320) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6329) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6338) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6367) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6373) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6377) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6401) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6407) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6415) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6424) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6431) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6438) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6447) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6453) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6463) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6468) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6478) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6485) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6494) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6500) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6504) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6510) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6518) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6524) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6531) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6538) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6547) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6554) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6563) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6572) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6578) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6583) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6587) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6594) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6600) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6609) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6617) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6626) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6630) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6640) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6647) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6656) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6665) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6674) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6678) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6685) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6694) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6703) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6712) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6720) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6729) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6736) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6752) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.23:38766 -> 95.234.158.87:6780 NICK [OSX|ARM4T]q9pxkd USER q9pxkd localhost localhost :q9pxkd
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 38766 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38768 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38770 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38772 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38774 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38776 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38778 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38780 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38782 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38784 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38786 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38788 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38790 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38792 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38794 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38796 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38798 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38800 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38802 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38804 -> 6780
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:38766 -> 95.234.158.87:6780
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: yakuza.arm6.elf String found in binary or memory: http://linux-it.abuser.eu/yak.sh;
Source: yakuza.arm6.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.arm6.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39256
Source: unknown Network traffic detected: HTTP traffic on port 39256 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.arm6.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: yakuza.arm6.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: yakuza.arm6.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 6266.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 6270.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm6.elf PID: 6266, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm6.elf PID: 6270, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Yara signature match
Source: yakuza.arm6.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: yakuza.arm6.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: yakuza.arm6.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 6266.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 6270.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm6.elf PID: 6266, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm6.elf PID: 6270, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal72.troj.linELF@0/0@0/0
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm6.elf ELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/6594/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/6594/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1582/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1582/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/3088/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/3088/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/6591/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/6591/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/230/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/230/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/232/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/232/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1579/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1579/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1699/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1699/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1335/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1335/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1698/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1698/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1334/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1334/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1576/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1576/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/2302/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/2302/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/236/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/236/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/237/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/237/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/910/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/910/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/912/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/912/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/2307/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/2307/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/918/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/918/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1594/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1594/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1349/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1349/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 6594) File opened: /proc/3/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.arm6.elf (PID: 6278) Shell command executed: sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6308) Shell command executed: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6312) Shell command executed: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6318) Shell command executed: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6323) Shell command executed: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6333) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6362) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6371) Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6375) Shell command executed: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6399) Shell command executed: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6405) Shell command executed: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6409) Shell command executed: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6419) Shell command executed: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6426) Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6433) Shell command executed: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6442) Shell command executed: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86" Jump to behavior
Source: /tmp/yakuza.arm6.elf (PID: 6449) Shell command executed: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.arm6.elf (PID: 6458) Shell command executed: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.arm6.elf (PID: 6466) Shell command executed: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.arm6.elf (PID: 6472) Shell command executed: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.arm6.elf (PID: 6480) Shell command executed: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.arm6.elf (PID: 6489) Shell command executed: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.arm6.elf (PID: 6498) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.arm6.elf (PID: 6502) Shell command executed: sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.arm6.elf (PID: 6508) Shell command executed: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.arm6.elf (PID: 6512) Shell command executed: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.arm6.elf (PID: 6522) Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.arm6.elf (PID: 6526) Shell command executed: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.arm6.elf (PID: 6533) Shell command executed: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.arm6.elf (PID: 6542) Shell command executed: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.arm6.elf (PID: 6549) Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.arm6.elf (PID: 6558) Shell command executed: sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.arm6.elf (PID: 6566) Shell command executed: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.arm6.elf (PID: 6576) Shell command executed: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.arm6.elf (PID: 6581) Shell command executed: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.arm6.elf (PID: 6585) Shell command executed: sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.arm6.elf (PID: 6591) Shell command executed: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.arm6.elf (PID: 6598) Shell command executed: sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.arm6.elf (PID: 6604) Shell command executed: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.arm6.elf (PID: 6611) Shell command executed: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.arm6.elf (PID: 6621) Shell command executed: sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.arm6.elf (PID: 6628) Shell command executed: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.arm6.elf (PID: 6632) Shell command executed: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.arm6.elf (PID: 6638) Shell command executed: sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Source: /tmp/yakuza.arm6.elf (PID: 6642) Shell command executed: sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
Source: /tmp/yakuza.arm6.elf (PID: 6651) Shell command executed: sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"
Source: /tmp/yakuza.arm6.elf (PID: 6659) Shell command executed: sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"
Source: /tmp/yakuza.arm6.elf (PID: 6669) Shell command executed: sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"
Source: /tmp/yakuza.arm6.elf (PID: 6676) Shell command executed: sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"
Source: /tmp/yakuza.arm6.elf (PID: 6680) Shell command executed: sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"
Source: /tmp/yakuza.arm6.elf (PID: 6689) Shell command executed: sh -c "pkill -9 ggtr || busybox pkill -9 ggtr"
Source: /tmp/yakuza.arm6.elf (PID: 6698) Shell command executed: sh -c "pkill -9 14Fa || busybox pkill -9 14Fa"
Source: /tmp/yakuza.arm6.elf (PID: 6707) Shell command executed: sh -c "pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337"
Source: /tmp/yakuza.arm6.elf (PID: 6714) Shell command executed: sh -c "pkill -9 ggtt || busybox pkill -9 ggtt"
Source: /tmp/yakuza.arm6.elf (PID: 6724) Shell command executed: sh -c "pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4"
Source: /tmp/yakuza.arm6.elf (PID: 6731) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X"
Source: /tmp/yakuza.arm6.elf (PID: 6740) Shell command executed: sh -c "pkill -9 haetrghbr || busybox pkill -9 haetrghbr"
Source: /tmp/yakuza.arm6.elf (PID: 6747) Shell command executed: sh -c "pkill -9 19ju3d || busybox pkill -9 19ju3d"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 6287) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 6310) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 6314) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 6320) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 6329) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 6338) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 6367) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 6373) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 6377) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 6401) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 6407) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 6415) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 6424) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 6431) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 6438) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids Jump to behavior
Source: /bin/sh (PID: 6447) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86 Jump to behavior
Source: /bin/sh (PID: 6453) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 6463) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 6468) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 6478) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 6485) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 6494) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 6500) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 6504) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 6510) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 6518) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 6524) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 6531) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 6538) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 6547) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 6554) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 6563) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 6572) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 6578) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 6583) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 6587) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 6594) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 6600) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 6609) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 6617) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 6626) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 6630) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 6634) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 6640) Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 6647) Pkill executable: /usr/bin/pkill -> pkill -9 wget-log
Source: /bin/sh (PID: 6656) Pkill executable: /usr/bin/pkill -> pkill -9 1337SoraLOADER
Source: /bin/sh (PID: 6665) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKINA
Source: /bin/sh (PID: 6674) Pkill executable: /usr/bin/pkill -> pkill -9 ggtq
Source: /bin/sh (PID: 6678) Pkill executable: /usr/bin/pkill -> pkill -9 1378bfp919GRB1Q2
Source: /bin/sh (PID: 6685) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKUSO
Source: /bin/sh (PID: 6694) Pkill executable: /usr/bin/pkill -> pkill -9 ggtr
Source: /bin/sh (PID: 6703) Pkill executable: /usr/bin/pkill -> pkill -9 14Fa
Source: /bin/sh (PID: 6712) Pkill executable: /usr/bin/pkill -> pkill -9 SEXSLAVE1337
Source: /bin/sh (PID: 6720) Pkill executable: /usr/bin/pkill -> pkill -9 ggtt
Source: /bin/sh (PID: 6729) Pkill executable: /usr/bin/pkill -> pkill -9 1902a3u912u3u4
Source: /bin/sh (PID: 6736) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X
Source: /bin/sh (PID: 6745) Pkill executable: /usr/bin/pkill -> pkill -9 haetrghbr
Source: /bin/sh (PID: 6752) Pkill executable: /usr/bin/pkill -> pkill -9 19ju3d
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6340) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Lfb9T7YjQQ /tmp/tmp.uBcPAn4gBV /tmp/tmp.cDHBVMe0e3
Source: /usr/bin/dash (PID: 6341) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Lfb9T7YjQQ /tmp/tmp.uBcPAn4gBV /tmp/tmp.cDHBVMe0e3

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 38766 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38768 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38770 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38772 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38774 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38776 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38778 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38780 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38782 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38784 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38786 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38788 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38790 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38792 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38794 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38796 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38798 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38800 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38802 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 38804 -> 6780
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6287) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6310) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6314) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6320) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6329) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6338) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6367) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6373) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6377) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6401) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6407) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6415) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6424) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6431) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6438) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6447) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6453) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6463) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6468) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6478) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6485) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6494) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6500) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6504) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6510) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6518) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6524) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6531) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6538) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6547) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6554) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6563) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6572) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6578) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6583) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6587) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6594) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6600) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6609) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6617) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6626) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6630) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6640) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6647) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6656) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6665) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6674) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6678) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6685) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6694) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6703) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6712) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6720) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6729) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6736) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6752) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/yakuza.arm6.elf (PID: 6266) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6300) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6311) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6317) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6321) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6330) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6339) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6368) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6374) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6398) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6404) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6408) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6416) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6425) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6432) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6441) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6448) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6457) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6464) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6469) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6479) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6486) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6495) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6501) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6507) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6511) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6519) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6525) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6532) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6541) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6548) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6557) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6564) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6573) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6579) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6584) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6590) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6597) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6601) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6610) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6618) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6627) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6631) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6637) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6641) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6650) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6657) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6666) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6675) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6679) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6688) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6697) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6706) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6713) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6721) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6730) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6737) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6746) Queries kernel information via 'uname':
Source: yakuza.arm6.elf, 6266.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp, yakuza.arm6.elf, 6270.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp Binary or memory string: af&x86_64/usr/bin/qemu-arm/tmp/yakuza.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yakuza.arm6.elf
Source: yakuza.arm6.elf, 6266.1.00005607130da000.0000560713208000.rw-.sdmp, yakuza.arm6.elf, 6270.1.00005607130da000.0000560713208000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: yakuza.arm6.elf, 6266.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp, yakuza.arm6.elf, 6270.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: yakuza.arm6.elf, 6266.1.00005607130da000.0000560713208000.rw-.sdmp, yakuza.arm6.elf, 6270.1.00005607130da000.0000560713208000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/arm
Source: yakuza.arm6.elf, 6270.1.00007ffc484ef000.00007ffc48510000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm6.elf, type: SAMPLE
Source: Yara match File source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm6.elf, type: SAMPLE
Source: Yara match File source: 6266.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6270.1.00007f5e1c017000.00007f5e1c035000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.234.158.87
 unknown Italy
3269 ASN-IBSNAZIT true
34.249.145.219
 unknown United States
16509 AMAZON-02US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false