Linux Analysis Report
m68k.elf

Overview

General Information

Sample name:	m68k.elf
Analysis ID:	1579331
MD5:	9ae6e6aa6861aa1cc318288ab07cf733
SHA1:	0eb9b62960ffc2a019466a38bfdb7523dd0b1b45
SHA256:	92083001a8b3939d6ffc05f24f79a1e944a9c7da7761f84c6ba747f415439125
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Moobot

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Moobot

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: m68k.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: m68k.elf	ReversingLabs: Detection: 65%
Source: m68k.elf	Virustotal: Detection: 60%			Perma Link

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51878 -> 209.141.47.117:1999

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.47.117
Source: unknown	TCP traffic detected without corresponding DNS query: 109.83.157.71
Source: unknown	TCP traffic detected without corresponding DNS query: 113.134.161.159
Source: unknown	TCP traffic detected without corresponding DNS query: 82.202.104.255
Source: unknown	TCP traffic detected without corresponding DNS query: 31.21.241.159
Source: unknown	TCP traffic detected without corresponding DNS query: 170.148.179.157
Source: unknown	TCP traffic detected without corresponding DNS query: 99.0.5.148
Source: unknown	TCP traffic detected without corresponding DNS query: 170.77.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 253.153.207.248
Source: unknown	TCP traffic detected without corresponding DNS query: 249.98.85.115
Source: unknown	TCP traffic detected without corresponding DNS query: 40.24.16.53
Source: unknown	TCP traffic detected without corresponding DNS query: 67.156.243.102
Source: unknown	TCP traffic detected without corresponding DNS query: 46.161.242.120
Source: unknown	TCP traffic detected without corresponding DNS query: 162.233.117.193
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.57.247
Source: unknown	TCP traffic detected without corresponding DNS query: 222.218.65.213
Source: unknown	TCP traffic detected without corresponding DNS query: 253.120.86.87
Source: unknown	TCP traffic detected without corresponding DNS query: 223.192.136.189
Source: unknown	TCP traffic detected without corresponding DNS query: 171.134.72.195
Source: unknown	TCP traffic detected without corresponding DNS query: 152.65.75.52
Source: unknown	TCP traffic detected without corresponding DNS query: 42.45.178.234
Source: unknown	TCP traffic detected without corresponding DNS query: 170.127.234.84
Source: unknown	TCP traffic detected without corresponding DNS query: 209.194.7.215
Source: unknown	TCP traffic detected without corresponding DNS query: 195.191.249.63
Source: unknown	TCP traffic detected without corresponding DNS query: 17.120.23.31
Source: unknown	TCP traffic detected without corresponding DNS query: 194.80.37.37
Source: unknown	TCP traffic detected without corresponding DNS query: 169.202.237.7
Source: unknown	TCP traffic detected without corresponding DNS query: 12.191.176.82
Source: unknown	TCP traffic detected without corresponding DNS query: 151.12.50.253
Source: unknown	TCP traffic detected without corresponding DNS query: 61.52.233.29
Source: unknown	TCP traffic detected without corresponding DNS query: 191.220.28.5
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.147.88
Source: unknown	TCP traffic detected without corresponding DNS query: 20.181.96.58
Source: unknown	TCP traffic detected without corresponding DNS query: 80.121.244.181
Source: unknown	TCP traffic detected without corresponding DNS query: 91.17.172.203
Source: unknown	TCP traffic detected without corresponding DNS query: 130.181.62.85
Source: unknown	TCP traffic detected without corresponding DNS query: 81.17.235.161
Source: unknown	TCP traffic detected without corresponding DNS query: 115.200.213.96
Source: unknown	TCP traffic detected without corresponding DNS query: 82.84.244.97
Source: unknown	TCP traffic detected without corresponding DNS query: 43.221.249.10
Source: unknown	TCP traffic detected without corresponding DNS query: 181.190.92.170
Source: unknown	TCP traffic detected without corresponding DNS query: 158.43.197.44
Source: unknown	TCP traffic detected without corresponding DNS query: 113.50.246.31
Source: unknown	TCP traffic detected without corresponding DNS query: 48.177.63.53
Source: unknown	TCP traffic detected without corresponding DNS query: 179.93.14.79
Source: unknown	TCP traffic detected without corresponding DNS query: 202.42.87.168
Source: unknown	TCP traffic detected without corresponding DNS query: 221.188.115.88
Source: unknown	TCP traffic detected without corresponding DNS query: 126.189.228.189
Source: unknown	TCP traffic detected without corresponding DNS query: 71.170.50.223

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@0/0

Enumerates processes within the "proc" file system

Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2033/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2275/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6195/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1612/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2028/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/3236/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2025/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2146/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4444/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4445/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4446/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/517/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/759/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2285/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2281/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1623/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/761/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1622/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/884/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1983/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2038/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1860/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2156/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6238/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1629/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1627/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/3021/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2294/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2050/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6250/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1877/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/772/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1633/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1632/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/774/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1477/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/654/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/896/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1476/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1872/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2048/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/655/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2289/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/656/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/657/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/658/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6248/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/419/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1639/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1638/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2208/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2180/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4480/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4483/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4486/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1809/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1494/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1890/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2063/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2062/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1888/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1886/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/420/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1489/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/785/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1642/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/788/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/667/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/789/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4477/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4510/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1648/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2078/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2077/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2074/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2195/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/670/cmdline	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/m68k.elf (PID: 6236)

Queries kernel information via 'uname':

Jump to behavior

Source: m68k.elf, 6236.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6239.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6246.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: m68k.elf, 6236.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6239.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6246.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.elf, 6236.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6239.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6246.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp	Binary or memory string: nx86_64/usr/bin/qemu-m68k/tmp/m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.elf
Source: m68k.elf, 6236.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6239.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6246.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
205.141.136.69	unknown	United States	26059	PGH-ASUS	false
149.64.118.107	unknown	United States	188	SAIC-ASUS	false
16.195.252.71	unknown	United States	unknown	unknown	false
106.239.231.238	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
251.141.223.216	unknown	Reserved	unknown	unknown	false
76.45.67.205	unknown	United States	11955	TWC-11955-ATLANTAUS	false
221.118.101.84	unknown	Japan	9354	TDNCCommunityNetworkCenterIncJP	false
156.53.207.154	unknown	United States	54535	NIKEUS-NVUS	false
45.150.101.148	unknown	Liechtenstein	47987	LOVESERVERSGB	false
185.185.4.15	unknown	France	34659	KEYYOFR	false
12.25.42.33	unknown	United States	7018	ATT-INTERNET4US	false
133.121.107.207	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
110.12.189.180	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
111.161.219.202	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
174.111.216.202	unknown	United States	11426	TWC-11426-CAROLINASUS	false
204.235.31.194	unknown	United States	11714	NETWORKNEBRASKAUS	false
218.241.245.126	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
241.142.95.214	unknown	Reserved	unknown	unknown	false
85.40.216.106	unknown	Italy	3269	ASN-IBSNAZIT	false
104.119.158.106	unknown	United States	16625	AKAMAI-ASUS	false
156.129.84.137	unknown	United States	29975	VODACOM-ZA	false
81.100.53.3	unknown	United Kingdom	5089	NTLGB	false
2.23.194.109	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
98.80.130.178	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
223.48.101.243	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
102.188.230.233	unknown	Egypt	24835	RAYA-ASEG	false
105.245.94.98	unknown	South Africa	29975	VODACOM-ZA	false
1.64.97.223	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
252.229.146.228	unknown	Reserved	unknown	unknown	false
178.72.78.186	unknown	Russian Federation	44257	TNGS-SOUTHRU	false
151.108.246.63	unknown	United States	1218	NCUBE-BELMONT-ASUS	false
176.89.170.213	unknown	Turkey	3352	TELEFONICA_DE_ESPANAES	false
62.71.248.221	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
197.117.202.152	unknown	Algeria	36947	ALGTEL-ASDZ	false
61.233.185.2	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
241.170.201.8	unknown	Reserved	unknown	unknown	false
60.223.85.119	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
209.144.94.231	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
42.131.15.183	unknown	China	4249	LILLY-ASUS	false
179.31.197.1	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
84.107.247.102	unknown	Netherlands	33915	TNF-ASNL	false
31.16.29.12	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
85.162.103.146	unknown	Czech Republic	28725	CETIN-ASCZ	false
126.180.202.144	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
156.26.242.128	unknown	United States	22245	WICHITA-STATE-UUS	false
81.39.118.62	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
246.118.193.90	unknown	Reserved	unknown	unknown	false
97.113.46.249	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
139.156.198.80	unknown	Netherlands	2497	IIJInternetInitiativeJapanIncJP	false
138.8.202.230	unknown	United States	264524	CunhaeZanatotelecomLTDAMEBR	false
107.110.215.229	unknown	United States	7018	ATT-INTERNET4US	false
17.110.154.36	unknown	United States	714	APPLE-ENGINEERINGUS	false
104.93.215.93	unknown	United States	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
192.183.78.26	unknown	United States	5650	FRONTIER-FRTRUS	false
201.209.177.135	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	false
118.98.154.13	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	false
102.188.230.239	unknown	Egypt	24835	RAYA-ASEG	false
136.61.172.243	unknown	United States	16591	GOOGLE-FIBERUS	false
47.87.88.252	unknown	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
107.237.101.4	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
241.106.228.89	unknown	Reserved	unknown	unknown	false
98.214.24.184	unknown	United States	7922	COMCAST-7922US	false
202.103.119.163	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
82.254.51.77	unknown	France	12322	PROXADFR	false
249.99.25.253	unknown	Reserved	unknown	unknown	false
207.48.70.238	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
84.225.71.238	unknown	Hungary	8448	PGSM-HUTorokbalintHungaryHU	false
221.103.69.141	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
185.174.35.223	unknown	Liechtenstein	206478	LILIFELI	false
203.190.75.93	unknown	Hong Kong	4637	ASN-TELSTRA-GLOBALTelstraGlobalHK	false
168.181.230.128	unknown	Honduras	263829	HOSTPARATUVIDASAHN	false
165.12.32.140	unknown	Australia	9509	DESE-AS-APDepartmentofEducationSkillsandEmploymentAU	false
107.53.129.55	unknown	United States	16567	NETRIX-16567US	false
200.160.241.253	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
121.160.2.169	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
63.211.141.110	unknown	United States	3356	LEVEL3US	false
57.36.70.249	unknown	Belgium	2686	ATGS-MMD-ASUS	false
196.152.153.90	unknown	Egypt	36935	Vodafone-EG	false
143.2.187.24	unknown	United States	11003	PANDGUS	false
212.188.118.222	unknown	Russian Federation	49154	MTS-DOM-ASRU	false
18.183.188.74	unknown	United States	16509	AMAZON-02US	false
61.190.87.222	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
38.247.196.124	unknown	United States	174	COGENT-174US	false
98.73.50.189	unknown	United States	7018	ATT-INTERNET4US	false
82.65.147.246	unknown	France	12322	PROXADFR	false
213.105.49.170	unknown	United Kingdom	5089	NTLGB	false
153.76.145.81	unknown	United States	14962	NCR-252US	false
150.48.44.134	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
177.128.119.251	unknown	Brazil	28196	BANCOVOTORANTIMSABR	false
175.94.197.31	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
203.229.91.0	unknown	Korea Republic of	38095	QRIXNETSDM-AS-KRTBroadKR	false
37.251.13.160	unknown	Netherlands	49562	XMSNL	false
12.100.240.66	unknown	United States	7018	ATT-INTERNET4US	false
162.123.152.23	unknown	United States	11857	AEGONUSAUS	false
125.235.185.99	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
113.111.211.103	unknown	China	4816	CHINANET-IDC-GDChinaTelecomGroupCN	false
2.208.111.154	unknown	Germany	6805	TDDE-ASN1DE	false
94.154.174.150	unknown	Germany	10753	LVLT-10753US	false
160.7.250.26	unknown	United States	36223	SPANISHFORK-COMMUNITY-NETWORKUS	false
72.48.57.200	unknown	United States	7459	GRANDECOM-AS1US	false

AV Detection

Antivirus / Scanner detection for submitted sample

Source: m68k.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: m68k.elf	ReversingLabs: Detection: 65%
Source: m68k.elf	Virustotal: Detection: 60%			Perma Link

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51878 -> 209.141.47.117:1999

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.47.117
Source: unknown	TCP traffic detected without corresponding DNS query: 109.83.157.71
Source: unknown	TCP traffic detected without corresponding DNS query: 113.134.161.159
Source: unknown	TCP traffic detected without corresponding DNS query: 82.202.104.255
Source: unknown	TCP traffic detected without corresponding DNS query: 31.21.241.159
Source: unknown	TCP traffic detected without corresponding DNS query: 170.148.179.157
Source: unknown	TCP traffic detected without corresponding DNS query: 99.0.5.148
Source: unknown	TCP traffic detected without corresponding DNS query: 170.77.217.173
Source: unknown	TCP traffic detected without corresponding DNS query: 253.153.207.248
Source: unknown	TCP traffic detected without corresponding DNS query: 249.98.85.115
Source: unknown	TCP traffic detected without corresponding DNS query: 40.24.16.53
Source: unknown	TCP traffic detected without corresponding DNS query: 67.156.243.102
Source: unknown	TCP traffic detected without corresponding DNS query: 46.161.242.120
Source: unknown	TCP traffic detected without corresponding DNS query: 162.233.117.193
Source: unknown	TCP traffic detected without corresponding DNS query: 85.207.57.247
Source: unknown	TCP traffic detected without corresponding DNS query: 222.218.65.213
Source: unknown	TCP traffic detected without corresponding DNS query: 253.120.86.87
Source: unknown	TCP traffic detected without corresponding DNS query: 223.192.136.189
Source: unknown	TCP traffic detected without corresponding DNS query: 171.134.72.195
Source: unknown	TCP traffic detected without corresponding DNS query: 152.65.75.52
Source: unknown	TCP traffic detected without corresponding DNS query: 42.45.178.234
Source: unknown	TCP traffic detected without corresponding DNS query: 170.127.234.84
Source: unknown	TCP traffic detected without corresponding DNS query: 209.194.7.215
Source: unknown	TCP traffic detected without corresponding DNS query: 195.191.249.63
Source: unknown	TCP traffic detected without corresponding DNS query: 17.120.23.31
Source: unknown	TCP traffic detected without corresponding DNS query: 194.80.37.37
Source: unknown	TCP traffic detected without corresponding DNS query: 169.202.237.7
Source: unknown	TCP traffic detected without corresponding DNS query: 12.191.176.82
Source: unknown	TCP traffic detected without corresponding DNS query: 151.12.50.253
Source: unknown	TCP traffic detected without corresponding DNS query: 61.52.233.29
Source: unknown	TCP traffic detected without corresponding DNS query: 191.220.28.5
Source: unknown	TCP traffic detected without corresponding DNS query: 103.171.147.88
Source: unknown	TCP traffic detected without corresponding DNS query: 20.181.96.58
Source: unknown	TCP traffic detected without corresponding DNS query: 80.121.244.181
Source: unknown	TCP traffic detected without corresponding DNS query: 91.17.172.203
Source: unknown	TCP traffic detected without corresponding DNS query: 130.181.62.85
Source: unknown	TCP traffic detected without corresponding DNS query: 81.17.235.161
Source: unknown	TCP traffic detected without corresponding DNS query: 115.200.213.96
Source: unknown	TCP traffic detected without corresponding DNS query: 82.84.244.97
Source: unknown	TCP traffic detected without corresponding DNS query: 43.221.249.10
Source: unknown	TCP traffic detected without corresponding DNS query: 181.190.92.170
Source: unknown	TCP traffic detected without corresponding DNS query: 158.43.197.44
Source: unknown	TCP traffic detected without corresponding DNS query: 113.50.246.31
Source: unknown	TCP traffic detected without corresponding DNS query: 48.177.63.53
Source: unknown	TCP traffic detected without corresponding DNS query: 179.93.14.79
Source: unknown	TCP traffic detected without corresponding DNS query: 202.42.87.168
Source: unknown	TCP traffic detected without corresponding DNS query: 221.188.115.88
Source: unknown	TCP traffic detected without corresponding DNS query: 126.189.228.189
Source: unknown	TCP traffic detected without corresponding DNS query: 71.170.50.223

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@0/0

Enumerates processes within the "proc" file system

Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2033/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2275/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6195/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1612/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2028/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/3236/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2025/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2146/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4444/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4445/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/912/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4446/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/517/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/759/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/918/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2285/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2281/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1623/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/761/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1622/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/884/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1983/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2038/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1344/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1465/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1586/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1860/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1463/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2156/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6238/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1629/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1627/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1900/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/3021/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/491/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2294/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2050/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6250/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1877/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/772/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1633/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1632/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/774/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1477/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/654/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/896/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1476/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1872/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2048/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/655/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2289/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/656/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/657/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/658/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/6248/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/419/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1639/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1638/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2208/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2180/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4480/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4483/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4486/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1809/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1494/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1890/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2063/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2062/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1888/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1886/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/420/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1489/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/785/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1642/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/788/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/667/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/789/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4477/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/4510/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/1648/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2078/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2077/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2074/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/2195/cmdline	Jump to behavior
Source: /tmp/m68k.elf (PID: 6244)	File opened: /proc/670/cmdline	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/m68k.elf (PID: 6236)

Queries kernel information via 'uname':

Jump to behavior

Source: m68k.elf, 6236.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6239.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6246.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: m68k.elf, 6236.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6239.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6246.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.elf, 6236.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6239.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp, m68k.elf, 6246.1.00007ffd41895000.00007ffd418b6000.rw-.sdmp	Binary or memory string: nx86_64/usr/bin/qemu-m68k/tmp/m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.elf
Source: m68k.elf, 6236.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6239.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp, m68k.elf, 6246.1.0000558b1bf35000.0000558b1bfbf000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: m68k.elf, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6239.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6246.1.00007f7d98001000.00007f7d98017000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6239, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.elf PID: 6246, type: MEMORYSTR

ID:	1579331
Product:	CloudBasic
Start time:	18:36:05
Start date:	21.12.2024
Sample:	m68k.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	9ae6e6aa6861aa1cc318288ab07cf733
SHA1:	0eb9b62960ffc2a019466a38bfdb7523dd0b1b45
SHA256:	92083001a8b3939d6ffc05f24f79a1e944a9c7da7761f84c6ba747f415439125
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
m68k.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report m68k.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
m68k.elf

Malware Threat Intel
Provided by