Click to jump to signature section
Source: armv4eb.elf | ReversingLabs: Detection: 44% |
Source: /tmp/armv4eb.elf (PID: 6221) | Opens: /sys/class/net/ | Jump to behavior |
Source: /tmp/armv4eb.elf (PID: 6221) | Opens: /sys/class/net/ens160/address | Jump to behavior |
Source: /tmp/armv4eb.elf (PID: 6221) | Opens: /sys/class/net/ens160/flags | Jump to behavior |
Source: /tmp/armv4eb.elf (PID: 6221) | Opens: /sys/class/net/ens160/carrier | Jump to behavior |
Source: global traffic | TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic | TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic | TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown | TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown | TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown | Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo -en ' |
Source: Initial sample | String containing 'busybox' found: .d && /bin/busybox echo -e '\x46\x49\x4e' |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo ' |
Source: Initial sample | String containing 'busybox' found: /bin/busybox chmod 777 .d; ./.d > .b; /bin/busybox chmod 777 .b; ./.b matrix |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo -en ''>.d && /bin/busybox echo -e '\x46\x49\x4e' |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo '\c'>>/bin/busybox chmod 777 .d; ./.d > .b; /bin/busybox chmod 777 .b; ./.b matrix |
Source: Initial sample | String containing 'busybox' found: rm -rf .d; rm -rf .b; >.d; (chmod 777 .d || /bin/busybox chmod 777 .d || cp /bin/sh .d; >.d); >.b; (chmod 777 .b || /bin/busybox chmod 777 .b || cp /bin/sh .b; >.b) |
Source: Initial sample | String containing 'busybox' found: /bin/busybox cat /proc/self/exe || cat /bin/echo |
Source: Initial sample | String containing 'busybox' found: /bin/busybox wget --help; /bin/busybox ftpget --help; /bin/busybox echo -e '\x67\x61\x79\x66\x67\x74'; |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo -e '\x53\x54\x41\x52\x54'; cat /proc/cpuinfo; /bin/busybox echo -e '\x45\x4e\x44' |
Source: Initial sample | String containing 'busybox' found: BusyBox on \S+ \wogin |
Source: Initial sample | String containing 'busybox' found: ELFsage: wgetsage: ftpgetgayfgt/bin/busybox echo -e '\x53\x54\x41\x52\x54'; cat /proc/cpuinfo; /bin/busybox echo -e '\x45\x4e\x44' |
Source: Initial sample | String containing 'busybox' found: /usr//mnt//var/run//dev/shm//etc//var//tmp//dev//var/home/user/fw/admin1231234666666ubnt888888klv12340000111111111111123451234561234567890admin12601hx4321543216543217ujMko0admin88888888a1sev5y7c39kAdminadmin123AdmiN*123admin1234adminHWadminpassBrAhMoS@15CalVxePV1! cat1029CenturyL1nkchzhdplconexantCTLsupport12cxx4dm1n5591epicrouterGeNeXiS@19gponAdminGPONALC#FGUgw1adminh@32LuyDho4uku6atadministratorAdministratorsupervisormeinsmmicrobusinessnology*/P@55w0rd!passpasswordplumeria0077QwestM0demripcode!roots2@We3%Dc#smcadminstdONU101systemtechTeleCom_1234telnetv2mprtve0RbANGXpon@Olt9417##xTaaA8jzhoneadtecadtecftpbinCMCCAdmine8telnetCUAdmindaemondefaulttluafedvhd1206e8ehome1e8ehomee8ehomeasbhi3518EpuseruserEpfliruser3vligftpvideoguestguest123!!Huawei@HuaweiHgwkeomeolnadminlnadmin0123456mg3500merlinmothernobodyontONTUSERSUGAR2A041rapportr@p8p0r+remotessh5SaP9I26!@#$qwer00000000000000000000059AnkJ070admin11001chin11111111234qwer1.oN%cpi2010vesta2011vesta207B16th23we98oi258025804uvdzKqBkj.jg5up/*6.=_ja7ujMko0vizxvadminp |
Source: Initial sample | String containing potential weak password found: admin |
Source: Initial sample | String containing potential weak password found: 12345 |
Source: Initial sample | String containing potential weak password found: 123456 |
Source: Initial sample | String containing potential weak password found: 54321 |
Source: Initial sample | String containing potential weak password found: 654321 |
Source: Initial sample | String containing potential weak password found: admin1234 |
Source: Initial sample | String containing potential weak password found: administrator |
Source: Initial sample | String containing potential weak password found: supervisor |
Source: Initial sample | String containing potential weak password found: password |
Source: Initial sample | String containing potential weak password found: default |
Source: Initial sample | String containing potential weak password found: guest |
Source: Initial sample | String containing potential weak password found: service |
Source: Initial sample | String containing potential weak password found: support |
Source: ELF static info symbol of initial sample | .symtab present: no |
Source: classification engine | Classification label: mal64.spyw.evad.linELF@0/0@0/0 |
Source: /tmp/armv4eb.elf (PID: 6221) | File: /tmp/armv4eb.elf | Jump to behavior |
Source: /tmp/armv4eb.elf (PID: 6221) | Queries kernel information via 'uname': | Jump to behavior |
Source: armv4eb.elf, 6221.1.000055ce43fab000.000055ce440f9000.rw-.sdmp | Binary or memory string: /etc/qemu-binfmt/armeb |
Source: armv4eb.elf, 6221.1.00007ffcc7437000.00007ffcc7458000.rw-.sdmp | Binary or memory string: /usr/bin/qemu-armeb |
Source: armv4eb.elf, 6221.1.00007ffcc7437000.00007ffcc7458000.rw-.sdmp | Binary or memory string: ox86_64/usr/bin/qemu-armeb/tmp/armv4eb.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/armv4eb.elf |
Source: armv4eb.elf, 6221.1.000055ce43fab000.000055ce440f9000.rw-.sdmp | Binary or memory string: U!/etc/qemu-binfmt/armeb |