Linux Analysis Report
yakuza.x86.elf

Overview

General Information

Sample name: yakuza.x86.elf
Analysis ID: 1561405
MD5: 86ae7faf59555791f91c85614824d7fc
SHA1: 77182d8944b2d96bd8f7e50e6a056c23f6be0127
SHA256: e801f5c7f5b523fd52eff6502bb1805bced37cb26f77f36d8de0df2e9a8e78e0
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yakuza.x86.elf ReversingLabs: Detection: 63%
Machine Learning detection for sample
Source: yakuza.x86.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5542) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5547) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5555) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5563) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5566) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5571) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5574) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5598) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5601) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5605) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5610) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5613) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5618) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5621) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5626) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5629) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5637) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5642) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5645) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5652) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5655) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5661) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5664) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5669) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5672) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5677) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5680) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5683) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5688) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5691) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5696) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5699) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5704) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5707) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5713) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5716) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5721) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5724) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5729) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5732) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5737) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5740) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5748) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5755) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5758) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5764) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5767) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5772) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5775) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.14:56980 -> 95.234.158.87:6780 NICK [OSX|x86_64]iKAieWz USER iKAieWz localhost localhost :iKAieWz
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 56980 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56982 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56984 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56986 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56990 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56992 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56994 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56996 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56998 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57000 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57002 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57004 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57006 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57008 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57010 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57012 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57014 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57016 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57018 -> 6780
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:56980 -> 95.234.158.87:6780
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: yakuza.x86.elf String found in binary or memory: http://linux-it.abuser.eu/yak.sh;
Source: yakuza.x86.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.x86.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_a6a2adb9 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_f3d83a74 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_e0673a90 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_821173df Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_656bf077 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_148b91a2 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_779e142f Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_32eb0c81 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_e98b83ee Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_0e52c842 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_a6a2adb9 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_f3d83a74 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_e0673a90 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_821173df Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_656bf077 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_148b91a2 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_779e142f Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_32eb0c81 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_e98b83ee Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_0e52c842 Author: unknown
Source: Process Memory Space: yakuza.x86.elf PID: 5537, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample and/or dropped files contains symbols with suspicious names
Source: yakuza.x86.elf ELF static info symbol of initial sample: passwords
Source: yakuza.x86.elf ELF static info symbol of initial sample: usernames
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Yara signature match
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_a6a2adb9 reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = cdd0bb9ce40a000bb86b0c76616fe71fb7dbb87a044ddd778b7a07fdf804b877, id = a6a2adb9-9d54-42d4-abed-5b30d8062e97, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_f3d83a74 reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 1c5df68501b688905484ed47dc588306828aa7c114644428e22e5021bb39bd4a, id = f3d83a74-2888-435a-9a3c-b7de25084e9a, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_e0673a90 reference_sample = c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6834f65d54bbfb926f986fe2dd72cd30bf9804ed65fcc71c2c848e72350f386a, id = e0673a90-165e-4347-a965-e8d14fdf684b, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_821173df reference_sample = de7d1aff222c7d474e1a42b2368885ef16317e8da1ca3a63009bf06376026163, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = c311789e1370227f7be1d87da0c370a905b7f5b4c55cdee0f0474060cc0fc5e4, id = 821173df-6835-41e1-a662-a432abf23431, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_656bf077 reference_sample = c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ea8ed60190198d5887bb7093975d648a9fd78234827d648a8258008c965b1c1, id = 656bf077-ca0c-4d28-9daa-eb6baafaf467, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_148b91a2 reference_sample = d5b2bde0749ff482dc2389971e2ac76c4b1e7b887208a538d5555f0fe6984825, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 0f75090ed840f4601df4e43a2f49f2b32585213f3d86d19fb255d79c21086ba3, id = 148b91a2-ed51-4c2d-9d15-6a48d9ea3e0a, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_779e142f reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 83377b6fa77fda4544c409487d2d2c1ddcef8f7d4120f49a18888c7536f3969f, id = 779e142f-b867-46e6-b1fb-9105976f42fd, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_32eb0c81 reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 7c50ed29e2dd75a6a85afc43f8452794cb787ecd2061f4bf415d7038c14c523f, id = 32eb0c81-25af-4670-ab77-07ea7ce1874a, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_e98b83ee reference_sample = cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = b5440c783bc18e23f27a3131ccce4629f8d0ceea031971cbcdb69370ab52e935, id = e98b83ee-0533-481a-9947-538bd2f99b6b, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: yakuza.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_0e52c842 reference_sample = cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 70fdfb7aa5d1eff98e4e216e7a60ed1ba4d75ed1f47a57bf40eeaf35a92c88e4, id = 0e52c842-f65e-4c77-8081-ae2f160e35f4, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_a6a2adb9 reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = cdd0bb9ce40a000bb86b0c76616fe71fb7dbb87a044ddd778b7a07fdf804b877, id = a6a2adb9-9d54-42d4-abed-5b30d8062e97, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_f3d83a74 reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 1c5df68501b688905484ed47dc588306828aa7c114644428e22e5021bb39bd4a, id = f3d83a74-2888-435a-9a3c-b7de25084e9a, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_e0673a90 reference_sample = c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6834f65d54bbfb926f986fe2dd72cd30bf9804ed65fcc71c2c848e72350f386a, id = e0673a90-165e-4347-a965-e8d14fdf684b, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_821173df reference_sample = de7d1aff222c7d474e1a42b2368885ef16317e8da1ca3a63009bf06376026163, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = c311789e1370227f7be1d87da0c370a905b7f5b4c55cdee0f0474060cc0fc5e4, id = 821173df-6835-41e1-a662-a432abf23431, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_656bf077 reference_sample = c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ea8ed60190198d5887bb7093975d648a9fd78234827d648a8258008c965b1c1, id = 656bf077-ca0c-4d28-9daa-eb6baafaf467, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_148b91a2 reference_sample = d5b2bde0749ff482dc2389971e2ac76c4b1e7b887208a538d5555f0fe6984825, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 0f75090ed840f4601df4e43a2f49f2b32585213f3d86d19fb255d79c21086ba3, id = 148b91a2-ed51-4c2d-9d15-6a48d9ea3e0a, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_779e142f reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 83377b6fa77fda4544c409487d2d2c1ddcef8f7d4120f49a18888c7536f3969f, id = 779e142f-b867-46e6-b1fb-9105976f42fd, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_32eb0c81 reference_sample = 275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 7c50ed29e2dd75a6a85afc43f8452794cb787ecd2061f4bf415d7038c14c523f, id = 32eb0c81-25af-4670-ab77-07ea7ce1874a, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_e98b83ee reference_sample = cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = b5440c783bc18e23f27a3131ccce4629f8d0ceea031971cbcdb69370ab52e935, id = e98b83ee-0533-481a-9947-538bd2f99b6b, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_0e52c842 reference_sample = cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 70fdfb7aa5d1eff98e4e216e7a60ed1ba4d75ed1f47a57bf40eeaf35a92c88e4, id = 0e52c842-f65e-4c77-8081-ae2f160e35f4, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.x86.elf PID: 5537, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal76.troj.linELF@0/0@0/0
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/memcpy.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/mempcpy.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/memset.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/strchr.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/strcmp.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/strcpy.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/strlen.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/strpbrk.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/string/x86_64/strspn.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/sysdeps/linux/x86_64/crt1.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/sysdeps/linux/x86_64/crti.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/sysdeps/linux/x86_64/crtn.S
Source: yakuza.x86.elf ELF static info symbol of initial sample: libc/sysdeps/linux/x86_64/vfork.S
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1583/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1583/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/2672/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/2672/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1577/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1577/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/917/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/917/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/19/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/19/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1593/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1593/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/240/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/240/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3094/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3094/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/242/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/242/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3406/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3406/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/244/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/244/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1589/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1589/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/245/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/245/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1588/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/1588/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/125/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/125/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/246/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/246/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3402/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/3402/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/126/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/126/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/5/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/5/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/247/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/247/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/127/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/127/cmdline
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/6/status
Source: /usr/bin/pkill (PID: 5661) File opened: /proc/6/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.x86.elf (PID: 5541) Shell command executed: sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5546) Shell command executed: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5549) Shell command executed: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5554) Shell command executed: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5557) Shell command executed: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5562) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5565) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5570) Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5573) Shell command executed: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5597) Shell command executed: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5600) Shell command executed: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5604) Shell command executed: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5609) Shell command executed: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5612) Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5617) Shell command executed: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.x86.elf (PID: 5620) Shell command executed: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
Source: /tmp/yakuza.x86.elf (PID: 5625) Shell command executed: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.x86.elf (PID: 5628) Shell command executed: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.x86.elf (PID: 5633) Shell command executed: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.x86.elf (PID: 5636) Shell command executed: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.x86.elf (PID: 5641) Shell command executed: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.x86.elf (PID: 5644) Shell command executed: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.x86.elf (PID: 5651) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.x86.elf (PID: 5654) Shell command executed: sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.x86.elf (PID: 5660) Shell command executed: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.x86.elf (PID: 5663) Shell command executed: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.x86.elf (PID: 5668) Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.x86.elf (PID: 5671) Shell command executed: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.x86.elf (PID: 5676) Shell command executed: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.x86.elf (PID: 5679) Shell command executed: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.x86.elf (PID: 5682) Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.x86.elf (PID: 5687) Shell command executed: sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.x86.elf (PID: 5690) Shell command executed: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.x86.elf (PID: 5695) Shell command executed: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.x86.elf (PID: 5698) Shell command executed: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.x86.elf (PID: 5703) Shell command executed: sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.x86.elf (PID: 5706) Shell command executed: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.x86.elf (PID: 5712) Shell command executed: sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.x86.elf (PID: 5715) Shell command executed: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.x86.elf (PID: 5720) Shell command executed: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.x86.elf (PID: 5723) Shell command executed: sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.x86.elf (PID: 5728) Shell command executed: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.x86.elf (PID: 5731) Shell command executed: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.x86.elf (PID: 5736) Shell command executed: sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Source: /tmp/yakuza.x86.elf (PID: 5739) Shell command executed: sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
Source: /tmp/yakuza.x86.elf (PID: 5744) Shell command executed: sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"
Source: /tmp/yakuza.x86.elf (PID: 5747) Shell command executed: sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"
Source: /tmp/yakuza.x86.elf (PID: 5754) Shell command executed: sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"
Source: /tmp/yakuza.x86.elf (PID: 5757) Shell command executed: sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"
Source: /tmp/yakuza.x86.elf (PID: 5763) Shell command executed: sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"
Source: /tmp/yakuza.x86.elf (PID: 5766) Shell command executed: sh -c "pkill -9 ggtr || busybox pkill -9 ggtr"
Source: /tmp/yakuza.x86.elf (PID: 5771) Shell command executed: sh -c "pkill -9 14Fa || busybox pkill -9 14Fa"
Source: /tmp/yakuza.x86.elf (PID: 5774) Shell command executed: sh -c "pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5542) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 5547) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 5550) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 5555) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 5558) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 5563) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 5566) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 5571) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 5574) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 5598) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 5601) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 5605) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 5610) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 5613) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 5618) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids Jump to behavior
Source: /bin/sh (PID: 5621) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86
Source: /bin/sh (PID: 5626) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 5629) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 5634) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 5637) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 5642) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 5645) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 5652) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 5655) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 5661) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 5664) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 5669) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 5672) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 5677) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 5680) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 5683) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 5688) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 5691) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 5696) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 5699) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 5704) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 5707) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 5713) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 5716) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 5721) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 5724) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 5729) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 5732) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 5737) Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 5740) Pkill executable: /usr/bin/pkill -> pkill -9 wget-log
Source: /bin/sh (PID: 5745) Pkill executable: /usr/bin/pkill -> pkill -9 1337SoraLOADER
Source: /bin/sh (PID: 5748) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKINA
Source: /bin/sh (PID: 5755) Pkill executable: /usr/bin/pkill -> pkill -9 ggtq
Source: /bin/sh (PID: 5758) Pkill executable: /usr/bin/pkill -> pkill -9 1378bfp919GRB1Q2
Source: /bin/sh (PID: 5764) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKUSO
Source: /bin/sh (PID: 5767) Pkill executable: /usr/bin/pkill -> pkill -9 ggtr
Source: /bin/sh (PID: 5772) Pkill executable: /usr/bin/pkill -> pkill -9 14Fa
Source: /bin/sh (PID: 5775) Pkill executable: /usr/bin/pkill -> pkill -9 SEXSLAVE1337

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 56980 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56982 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56984 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56986 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56990 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56992 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56994 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56996 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56998 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57000 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57002 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57004 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57006 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57008 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57010 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57012 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57014 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57016 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57018 -> 6780
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5542) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5547) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5555) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5563) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5566) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5571) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5574) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5598) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5601) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5605) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5610) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5613) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5618) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5621) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5626) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5629) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5637) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5642) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5645) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5652) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5655) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5661) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5664) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5669) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5672) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5677) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5680) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5683) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5688) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5691) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5696) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5699) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5704) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5707) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5713) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5716) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5721) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5724) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5729) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5732) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5737) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5740) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5748) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5755) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5758) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5764) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5767) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5772) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5775) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/busybox (PID: 5543) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5548) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5551) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5556) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5559) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5564) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5567) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5572) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5575) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5599) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5602) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5608) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5611) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5616) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5619) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5624) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5627) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5632) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5635) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5640) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5643) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5648) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5653) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5657) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5662) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5665) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5670) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5673) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5678) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5681) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5686) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5689) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5694) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5697) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5702) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5705) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5709) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5714) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5717) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5722) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5725) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5730) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5733) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5738) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5741) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5746) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5751) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5756) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5760) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5765) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5768) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5773) Queries kernel information via 'uname':

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.x86.elf, type: SAMPLE
Source: Yara match File source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.x86.elf, type: SAMPLE
Source: Yara match File source: 5537.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.234.158.87
 unknown Italy
3269 ASN-IBSNAZIT true