Linux Analysis Report
yakuza.arm5.elf

Overview

General Information

Sample name: yakuza.arm5.elf
Analysis ID: 1561406
MD5: 8e346de014a435d53bfb3236bcbb22a0
SHA1: 9c07a7b262c0b847bdf87e2d4f7a59cc7541a5cf
SHA256: d69aae30d881e1d095b928d962ef97e4cfbdb3a2e43a684d31613100fdaf1518
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yakuza.arm5.elf ReversingLabs: Detection: 60%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5847) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5882) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5886) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5892) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5900) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5909) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5916) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5925) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5929) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5954) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5963) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5971) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5980) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5988) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5995) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6004) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6011) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6020) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6024) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6034) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6041) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6050) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6057) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6063) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6072) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6076) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6083) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6091) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6098) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6106) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6113) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6121) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6130) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6138) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6147) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6151) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6157) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6161) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6165) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6171) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6175) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6186) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6193) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6202) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6209) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6216) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6222) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6228) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6238) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6246) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6255) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6262) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6271) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6280) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6288) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6298) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6305) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6312) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6321) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.15:50314 -> 95.234.158.87:6780 NICK [OSX|ARM3]aA8U5 USER aA8U5 localhost localhost :aA8U5
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 50314 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50318 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50320 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50322 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50324 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50326 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50328 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50330 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50332 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50334 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50336 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50338 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50340 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50342 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50344 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50346 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50348 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50350 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50352 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50354 -> 6780
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:50314 -> 95.234.158.87:6780
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: yakuza.arm5.elf String found in binary or memory: http://linux-it.abuser.eu/yak.sh;
Source: yakuza.arm5.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.arm5.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.arm5.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5833.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5841.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm5.elf PID: 5833, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm5.elf PID: 5841, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Yara signature match
Source: yakuza.arm5.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5833.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5841.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm5.elf PID: 5833, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm5.elf PID: 5841, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal72.troj.linELF@0/0@2/0
Source: yakuza.arm5.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm5.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm5.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm5.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm5.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/5816/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/5816/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/5817/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/5817/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1333/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1333/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1695/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1695/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/911/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/911/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/914/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/914/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/917/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/917/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/19/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/19/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1591/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1591/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1588/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1588/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/125/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/125/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/246/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/246/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/126/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/126/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/5/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/5/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/127/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/127/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/6/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/6/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1585/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/1585/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/128/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/128/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/7/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/7/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/129/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/129/cmdline
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/8/status
Source: /usr/bin/pkill (PID: 6076) File opened: /proc/8/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.arm5.elf (PID: 5845) Shell command executed: sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5877) Shell command executed: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5884) Shell command executed: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5890) Shell command executed: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5894) Shell command executed: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5904) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5911) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5918) Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5927) Shell command executed: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5952) Shell command executed: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5958) Shell command executed: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5965) Shell command executed: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5976) Shell command executed: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5983) Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5990) Shell command executed: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.arm5.elf (PID: 5999) Shell command executed: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
Source: /tmp/yakuza.arm5.elf (PID: 6006) Shell command executed: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.arm5.elf (PID: 6015) Shell command executed: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.arm5.elf (PID: 6022) Shell command executed: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.arm5.elf (PID: 6028) Shell command executed: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.arm5.elf (PID: 6036) Shell command executed: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.arm5.elf (PID: 6045) Shell command executed: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.arm5.elf (PID: 6052) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.arm5.elf (PID: 6061) Shell command executed: sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.arm5.elf (PID: 6067) Shell command executed: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.arm5.elf (PID: 6074) Shell command executed: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.arm5.elf (PID: 6081) Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.arm5.elf (PID: 6085) Shell command executed: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.arm5.elf (PID: 6093) Shell command executed: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.arm5.elf (PID: 6102) Shell command executed: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.arm5.elf (PID: 6109) Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.arm5.elf (PID: 6116) Shell command executed: sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.arm5.elf (PID: 6125) Shell command executed: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.arm5.elf (PID: 6132) Shell command executed: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.arm5.elf (PID: 6142) Shell command executed: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.arm5.elf (PID: 6149) Shell command executed: sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.arm5.elf (PID: 6155) Shell command executed: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.arm5.elf (PID: 6159) Shell command executed: sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.arm5.elf (PID: 6163) Shell command executed: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.arm5.elf (PID: 6169) Shell command executed: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.arm5.elf (PID: 6173) Shell command executed: sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.arm5.elf (PID: 6180) Shell command executed: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.arm5.elf (PID: 6188) Shell command executed: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.arm5.elf (PID: 6197) Shell command executed: sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Source: /tmp/yakuza.arm5.elf (PID: 6204) Shell command executed: sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
Source: /tmp/yakuza.arm5.elf (PID: 6211) Shell command executed: sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"
Source: /tmp/yakuza.arm5.elf (PID: 6220) Shell command executed: sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"
Source: /tmp/yakuza.arm5.elf (PID: 6224) Shell command executed: sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"
Source: /tmp/yakuza.arm5.elf (PID: 6234) Shell command executed: sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"
Source: /tmp/yakuza.arm5.elf (PID: 6241) Shell command executed: sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"
Source: /tmp/yakuza.arm5.elf (PID: 6250) Shell command executed: sh -c "pkill -9 ggtr || busybox pkill -9 ggtr"
Source: /tmp/yakuza.arm5.elf (PID: 6257) Shell command executed: sh -c "pkill -9 14Fa || busybox pkill -9 14Fa"
Source: /tmp/yakuza.arm5.elf (PID: 6266) Shell command executed: sh -c "pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337"
Source: /tmp/yakuza.arm5.elf (PID: 6275) Shell command executed: sh -c "pkill -9 ggtt || busybox pkill -9 ggtt"
Source: /tmp/yakuza.arm5.elf (PID: 6282) Shell command executed: sh -c "pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4"
Source: /tmp/yakuza.arm5.elf (PID: 6291) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X"
Source: /tmp/yakuza.arm5.elf (PID: 6300) Shell command executed: sh -c "pkill -9 haetrghbr || busybox pkill -9 haetrghbr"
Source: /tmp/yakuza.arm5.elf (PID: 6307) Shell command executed: sh -c "pkill -9 19ju3d || busybox pkill -9 19ju3d"
Source: /tmp/yakuza.arm5.elf (PID: 6316) Shell command executed: sh -c "pkill -9 SORAojkf120 || busybox pkill -9 SORAojkf120"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5847) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 5882) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 5886) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 5892) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 5900) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 5909) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 5916) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 5925) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 5929) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 5954) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 5963) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 5971) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 5980) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 5988) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 5995) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids Jump to behavior
Source: /bin/sh (PID: 6004) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86
Source: /bin/sh (PID: 6011) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 6020) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 6024) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 6034) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 6041) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 6050) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 6057) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 6063) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 6072) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 6076) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 6083) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 6091) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 6098) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 6106) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 6113) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 6121) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 6130) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 6138) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 6147) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 6151) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 6157) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 6161) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 6165) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 6171) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 6175) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 6186) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 6193) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 6202) Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 6209) Pkill executable: /usr/bin/pkill -> pkill -9 wget-log
Source: /bin/sh (PID: 6216) Pkill executable: /usr/bin/pkill -> pkill -9 1337SoraLOADER
Source: /bin/sh (PID: 6222) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKINA
Source: /bin/sh (PID: 6228) Pkill executable: /usr/bin/pkill -> pkill -9 ggtq
Source: /bin/sh (PID: 6238) Pkill executable: /usr/bin/pkill -> pkill -9 1378bfp919GRB1Q2
Source: /bin/sh (PID: 6246) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKUSO
Source: /bin/sh (PID: 6255) Pkill executable: /usr/bin/pkill -> pkill -9 ggtr
Source: /bin/sh (PID: 6262) Pkill executable: /usr/bin/pkill -> pkill -9 14Fa
Source: /bin/sh (PID: 6271) Pkill executable: /usr/bin/pkill -> pkill -9 SEXSLAVE1337
Source: /bin/sh (PID: 6280) Pkill executable: /usr/bin/pkill -> pkill -9 ggtt
Source: /bin/sh (PID: 6288) Pkill executable: /usr/bin/pkill -> pkill -9 1902a3u912u3u4
Source: /bin/sh (PID: 6298) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X
Source: /bin/sh (PID: 6305) Pkill executable: /usr/bin/pkill -> pkill -9 haetrghbr
Source: /bin/sh (PID: 6312) Pkill executable: /usr/bin/pkill -> pkill -9 19ju3d
Source: /bin/sh (PID: 6321) Pkill executable: /usr/bin/pkill -> pkill -9 SORAojkf120

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 50314 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50318 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50320 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50322 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50324 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50326 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50328 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50330 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50332 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50334 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50336 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50338 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50340 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50342 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50344 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50346 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50348 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50350 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50352 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 50354 -> 6780
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5847) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5882) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5886) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5892) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5900) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5909) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5916) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5925) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5929) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5954) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5963) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5971) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5980) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5988) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5995) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6004) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6011) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6020) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6024) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6034) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6041) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6050) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6057) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6063) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6072) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6076) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6083) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6091) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6098) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6106) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6113) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6121) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6130) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6138) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6147) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6151) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6157) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6161) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6165) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6171) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6175) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6186) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6193) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6202) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6209) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6216) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6222) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6228) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6238) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6246) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6255) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6262) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6271) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6280) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6288) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6298) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6305) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6312) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6321) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/yakuza.arm5.elf (PID: 5833) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5876) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5883) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5889) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5893) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5901) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5910) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5917) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5926) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5951) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5957) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5964) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5973) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5982) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5989) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5998) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6005) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6014) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6021) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6025) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6035) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6042) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6051) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6060) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6066) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6073) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6077) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6084) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6092) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6099) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6108) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6115) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6124) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6131) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6141) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6148) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6152) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6158) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6162) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6168) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6172) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6177) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6187) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6194) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6203) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6210) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6219) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6223) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6231) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6240) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6247) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6256) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6265) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6274) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6281) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6289) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6299) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6306) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6315) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 6326) Queries kernel information via 'uname':
Source: yakuza.arm5.elf, 5833.1.000055c0d68ec000.000055c0d6a1a000.rw-.sdmp, yakuza.arm5.elf, 5841.1.000055c0d68ec000.000055c0d6a1a000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: yakuza.arm5.elf, 5833.1.00007ffd969bb000.00007ffd969dc000.rw-.sdmp, yakuza.arm5.elf, 5841.1.00007ffd969bb000.00007ffd969dc000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/yakuza.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yakuza.arm5.elf
Source: yakuza.arm5.elf, 5833.1.000055c0d68ec000.000055c0d6a1a000.rw-.sdmp, yakuza.arm5.elf, 5841.1.000055c0d68ec000.000055c0d6a1a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: yakuza.arm5.elf, 5833.1.00007ffd969bb000.00007ffd969dc000.rw-.sdmp, yakuza.arm5.elf, 5841.1.00007ffd969bb000.00007ffd969dc000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: yakuza.arm5.elf, 5841.1.00007ffd969bb000.00007ffd969dc000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm5.elf, type: SAMPLE
Source: Yara match File source: 5833.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5841.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm5.elf, type: SAMPLE
Source: Yara match File source: 5833.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5841.1.00007f70d4017000.00007f70d4032000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.234.158.87
 unknown Italy
3269 ASN-IBSNAZIT true

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true