Linux Analysis Report MPnFvIsvJp

Overview

General Information

Sample Name: MPnFvIsvJp
Analysis ID: 507413
MD5: 2af6167aa24d06f1795c507272d02916
SHA1: 24092366777f504a441a27f3555ca64e00719528
SHA256: 4c6ea0ba603fe0b1d8a97485afcf756d6e2a2630dfe18ee33353a17588924741
Tags: 32elfmiraipowerpc
Infos:

Most interesting Screenshot:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample tries to kill many processes (SIGKILL)
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: MPnFvIsvJp Virustotal: Detection: 50% Perma Link
Source: MPnFvIsvJp ReversingLabs: Detection: 58%

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 716 INFO TELNET access 66.118.196.129:23 -> 192.168.2.23:36798
Source: Traffic Snort IDS: 492 INFO TELNET login failed 1.70.80.93:23 -> 192.168.2.23:60370
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 179.56.172.132:23 -> 192.168.2.23:49592
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 179.56.172.132:23 -> 192.168.2.23:49592
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52212
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52212
Source: Traffic Snort IDS: 716 INFO TELNET access 66.118.196.129:23 -> 192.168.2.23:36930
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:40952
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41016
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41030
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52276
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52276
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41038
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41042
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41062
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41082
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41094
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41112
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52378
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52378
Source: Traffic Snort IDS: 716 INFO TELNET access 220.189.69.158:23 -> 192.168.2.23:41132
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41132 -> 220.189.69.158:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 179.56.172.132:23 -> 192.168.2.23:49808
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 179.56.172.132:23 -> 192.168.2.23:49808
Source: Traffic Snort IDS: 716 INFO TELNET access 211.115.228.149:23 -> 192.168.2.23:50968
Source: Traffic Snort IDS: 716 INFO TELNET access 66.118.196.129:23 -> 192.168.2.23:37140
Source: Traffic Snort IDS: 716 INFO TELNET access 89.135.36.164:23 -> 192.168.2.23:55640
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52440
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52440
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.135.36.164:23 -> 192.168.2.23:55640
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.135.36.164:23 -> 192.168.2.23:55640
Source: Traffic Snort IDS: 492 INFO TELNET login failed 113.26.230.147:23 -> 192.168.2.23:39150
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 70.35.225.138:23 -> 192.168.2.23:57216
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 70.35.225.138:23 -> 192.168.2.23:57216
Source: Traffic Snort IDS: 716 INFO TELNET access 89.135.36.164:23 -> 192.168.2.23:55702
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52512
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52512
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.135.36.164:23 -> 192.168.2.23:55702
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.135.36.164:23 -> 192.168.2.23:55702
Source: Traffic Snort IDS: 716 INFO TELNET access 89.135.36.164:23 -> 192.168.2.23:55736
Source: Traffic Snort IDS: 716 INFO TELNET access 211.115.228.149:23 -> 192.168.2.23:51104
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.135.36.164:23 -> 192.168.2.23:55736
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.135.36.164:23 -> 192.168.2.23:55736
Source: Traffic Snort IDS: 716 INFO TELNET access 66.118.196.129:23 -> 192.168.2.23:37274
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52560
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52560
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 179.56.172.132:23 -> 192.168.2.23:49962
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 179.56.172.132:23 -> 192.168.2.23:49962
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 216.123.69.13:23 -> 192.168.2.23:39930
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 216.123.69.13:23 -> 192.168.2.23:39930
Source: Traffic Snort IDS: 716 INFO TELNET access 89.135.36.164:23 -> 192.168.2.23:55782
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.135.36.164:23 -> 192.168.2.23:55782
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.135.36.164:23 -> 192.168.2.23:55782
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.150.34.138:23 -> 192.168.2.23:52616
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.150.34.138:23 -> 192.168.2.23:52616
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37764
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37768
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37770
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37772
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37774
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37776
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37780
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37782
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37794
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37804
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37808
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37816
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37814
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37822
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39480
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39486
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37828
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37834
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39492
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39498
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39502
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54454
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54458
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54478
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54494
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54500
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:44200 -> 176.126.175.188:1312
Sample listens on a socket
Source: /tmp/MPnFvIsvJp (PID: 5270) Socket: 0.0.0.0::22 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5270) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5270) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5270) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5270) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5270) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) Socket: 0.0.0.0::37215 Jump to behavior
Source: /usr/sbin/sshd (PID: 5308) Socket: [::]::22 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 176.126.175.188
Source: unknown TCP traffic detected without corresponding DNS query: 141.236.143.83
Source: unknown TCP traffic detected without corresponding DNS query: 92.42.25.252
Source: unknown TCP traffic detected without corresponding DNS query: 254.81.82.214
Source: unknown TCP traffic detected without corresponding DNS query: 114.119.111.231
Source: unknown TCP traffic detected without corresponding DNS query: 80.122.42.242
Source: unknown TCP traffic detected without corresponding DNS query: 101.82.42.191
Source: unknown TCP traffic detected without corresponding DNS query: 2.85.105.98
Source: unknown TCP traffic detected without corresponding DNS query: 53.225.130.44
Source: unknown TCP traffic detected without corresponding DNS query: 35.216.80.163
Source: unknown TCP traffic detected without corresponding DNS query: 250.204.96.3
Source: unknown TCP traffic detected without corresponding DNS query: 178.155.158.132
Source: unknown TCP traffic detected without corresponding DNS query: 37.226.184.57
Source: unknown TCP traffic detected without corresponding DNS query: 4.101.100.125
Source: unknown TCP traffic detected without corresponding DNS query: 59.2.58.91
Source: unknown TCP traffic detected without corresponding DNS query: 111.68.240.159
Source: unknown TCP traffic detected without corresponding DNS query: 145.127.203.168
Source: unknown TCP traffic detected without corresponding DNS query: 93.111.178.142
Source: unknown TCP traffic detected without corresponding DNS query: 109.227.12.105
Source: unknown TCP traffic detected without corresponding DNS query: 166.155.133.136
Source: unknown TCP traffic detected without corresponding DNS query: 45.253.45.196
Source: unknown TCP traffic detected without corresponding DNS query: 114.127.150.38
Source: unknown TCP traffic detected without corresponding DNS query: 142.134.60.96
Source: unknown TCP traffic detected without corresponding DNS query: 90.183.57.44
Source: unknown TCP traffic detected without corresponding DNS query: 254.63.233.189
Source: unknown TCP traffic detected without corresponding DNS query: 125.45.23.97
Source: unknown TCP traffic detected without corresponding DNS query: 252.237.198.223
Source: unknown TCP traffic detected without corresponding DNS query: 61.95.222.35
Source: unknown TCP traffic detected without corresponding DNS query: 120.14.42.228
Source: unknown TCP traffic detected without corresponding DNS query: 84.58.140.225
Source: unknown TCP traffic detected without corresponding DNS query: 81.108.193.140
Source: unknown TCP traffic detected without corresponding DNS query: 9.127.16.250
Source: unknown TCP traffic detected without corresponding DNS query: 246.101.183.47
Source: unknown TCP traffic detected without corresponding DNS query: 165.115.26.237
Source: unknown TCP traffic detected without corresponding DNS query: 152.146.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 145.117.154.94
Source: unknown TCP traffic detected without corresponding DNS query: 48.5.50.187
Source: unknown TCP traffic detected without corresponding DNS query: 243.134.35.78
Source: unknown TCP traffic detected without corresponding DNS query: 27.154.165.37
Source: unknown TCP traffic detected without corresponding DNS query: 23.226.106.55
Source: unknown TCP traffic detected without corresponding DNS query: 166.27.220.118
Source: unknown TCP traffic detected without corresponding DNS query: 182.169.48.199
Source: unknown TCP traffic detected without corresponding DNS query: 207.126.60.86
Source: unknown TCP traffic detected without corresponding DNS query: 84.168.179.71
Source: unknown TCP traffic detected without corresponding DNS query: 53.149.80.83
Source: unknown TCP traffic detected without corresponding DNS query: 20.182.141.7
Source: unknown TCP traffic detected without corresponding DNS query: 87.233.107.0
Source: unknown TCP traffic detected without corresponding DNS query: 95.130.139.211
Source: unknown TCP traffic detected without corresponding DNS query: 161.154.243.114
Source: unknown TCP traffic detected without corresponding DNS query: 74.133.199.57
Source: motd-news.18.dr String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 5270, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2191, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 5270, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2191, result: successful Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: classification engine Classification label: mal72.spre.troj.lin@0/3@0/0
Source: MPnFvIsvJp Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/910/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/912/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/912/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/912/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/759/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/759/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/759/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/517/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/918/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/918/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/918/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1594/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2285/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2281/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/5270/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1349/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1623/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/761/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/761/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/761/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1622/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/884/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/884/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/884/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1983/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2038/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1586/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1465/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1344/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1860/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1860/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1463/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2156/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/800/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/800/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/800/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/801/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/801/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/801/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1629/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1627/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1900/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/491/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/491/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/491/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2294/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2050/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1877/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/772/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/772/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/772/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1633/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1599/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1632/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1477/fd Jump to behavior
Source: /tmp/MPnFvIsvJp (PID: 5276) File opened: /proc/1477/exe Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5221) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.nd5wZIclrj /tmp/tmp.zShyQQ7qTu /tmp/tmp.3SdD1ZBLJc Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37764
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37768
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37770
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37772
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37774
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37776
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37780
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37782
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37794
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37804
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37808
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37816
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37814
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37822
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39480
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39486
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37828
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37834
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39492
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39498
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 39502
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54454
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54458
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54476
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54478
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54494
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54500

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/MPnFvIsvJp (PID: 5267) Queries kernel information via 'uname': Jump to behavior
Source: MPnFvIsvJp, 5267.1.000000000d0936a4.000000009ef99e4c.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: MPnFvIsvJp, 5270.1.000000000d0936a4.000000009ef99e4c.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: MPnFvIsvJp, 5267.1.000000000d0936a4.000000009ef99e4c.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: MPnFvIsvJp, 5267.1.00000000c3376e66.00000000dbbd983f.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc
Source: MPnFvIsvJp, 5267.1.00000000c3376e66.00000000dbbd983f.rw-.sdmp Binary or memory string: CJx86_64/usr/bin/qemu-ppc/tmp/MPnFvIsvJpSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/MPnFvIsvJp

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
53.112.165.99
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
162.249.159.72
 unknown United States
12177 ETS-TELEPHONE-COMPANYUS false
38.189.106.217
 unknown United States
174 COGENT-174US false
146.117.193.114
 unknown unknown
17477 MCT-SYDNEYMacquarieTelecomAU false
197.45.56.18
 unknown Egypt
8452 TE-ASTE-ASEG false
79.112.91.127
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO false
159.230.61.6
 unknown United States
4922 SHENTELUS false
104.119.90.60
 unknown United States
2828 XO-AS15US false
73.210.5.139
 unknown United States
7922 COMCAST-7922US false
185.13.32.132
 unknown Russian Federation
46844 ST-BGPUS false
95.195.139.140
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
109.142.99.132
 unknown Belgium
5432 PROXIMUS-ISP-ASBE false
84.141.10.139
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
2.144.217.201
 unknown Iran (ISLAMIC Republic Of)
44244 IRANCELL-ASIR false
254.124.160.89
 unknown Reserved
unknown unknown false
157.72.111.104
 unknown Japan 131932 JEIS-NETJREastInformationSystemsCompanyJP false
166.2.57.61
 unknown United States
4152 USDA-1US false
196.98.136.157
 unknown Kenya
33771 SAFARICOM-LIMITEDKE false
105.214.52.124
 unknown South Africa
16637 MTNNS-ASZA false
76.177.163.230
 unknown United States
10796 TWC-10796-MIDWESTUS false
18.69.142.225
 unknown United States
3 MIT-GATEWAYSUS false
47.253.16.98
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
222.209.131.174
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
118.144.105.142
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
73.26.71.206
 unknown United States
7922 COMCAST-7922US false
216.44.168.130
 unknown United States
22691 ISPNET-1US false
207.34.254.92
 unknown Canada
852 ASN852CA false
109.236.158.185
 unknown Germany
62023 NYNEXDE false
4.26.92.139
 unknown United States
3356 LEVEL3US false
78.143.58.117
 unknown Germany
34309 LINK11Link11GmbHDE false
158.255.70.161
 unknown France
39104 OXEVAFR false
249.229.94.227
 unknown Reserved
unknown unknown false
118.28.147.193
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
121.127.142.57
 unknown Korea Republic of
9756 CHEONANVITSSEN-AS-KRTbroadChungbuBroadcastingCoKR false
82.231.167.86
 unknown France
12322 PROXADFR false
90.252.197.202
 unknown United Kingdom
5378 VodafoneGB false
207.176.202.218
 unknown United States
3491 BTN-ASNUS false
18.30.10.250
 unknown United States
3 MIT-GATEWAYSUS false
223.8.151.73
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
192.20.120.58
 unknown United States
14153 EDGECAST-IRUS false
200.167.253.216
 unknown Brazil
4230 CLAROSABR false
86.68.72.129
 unknown France
15557 LDCOMNETFR false
213.146.201.32
 unknown Portugal
5626 ONIInternetServiceProviderPT false
83.45.140.221
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
152.26.195.240
 unknown United States
81 NCRENUS false
221.0.56.164
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
133.55.183.163
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
2.17.213.1
 unknown European Union
16625 AKAMAI-ASUS false
248.29.159.14
 unknown Reserved
unknown unknown false
41.152.76.213
 unknown Egypt
36992 ETISALAT-MISREG false
201.19.52.194
 unknown Brazil
7738 TelemarNorteLesteSABR false
240.42.170.232
 unknown Reserved
unknown unknown false
139.156.150.80
 unknown Netherlands
2497 IIJInternetInitiativeJapanIncJP false
118.64.199.38
 unknown China
4713 OCNNTTCommunicationsCorporationJP false
121.145.80.39
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
98.59.61.81
 unknown United States
7922 COMCAST-7922US false
196.61.253.222
 unknown South Africa
328029 Web-Telecom-ServicesZA false
205.153.15.252
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
223.10.93.212
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
223.93.79.103
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
175.12.84.190
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
183.25.200.23
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
93.137.66.222
 unknown Croatia (LOCAL Name: Hrvatska)
5391 T-HTCroatianTelecomIncHR false
189.40.178.46
 unknown Brazil
26615 TIMSABR false
180.140.66.56
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
203.176.141.81
 unknown Cambodia
38235 MEKONGNET-ADC-AS-APANGKORDATACOMMUNICATIONKH false
45.146.92.203
 unknown Germany
60781 LEASEWEB-NL-AMS-01NetherlandsNL false
19.197.93.3
 unknown United States
3 MIT-GATEWAYSUS false
212.191.184.166
 unknown Poland
16283 LODMAN-AS2MetropolitanAreaNetworkLODMANPL false
60.23.101.154
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
73.49.124.155
 unknown United States
7922 COMCAST-7922US false
142.212.99.59
 unknown Canada
13576 SDNW-13576US false
79.106.115.210
 unknown Albania
42313 ALBTELECOM-ASAL false
32.251.50.182
 unknown United States
2686 ATGS-MMD-ASUS false
253.83.161.80
 unknown Reserved
unknown unknown false
17.208.85.231
 unknown United States
714 APPLE-ENGINEERINGUS false
174.105.227.80
 unknown United States
10796 TWC-10796-MIDWESTUS false
250.12.81.189
 unknown Reserved
unknown unknown false
247.235.238.231
 unknown Reserved
unknown unknown false
78.254.217.14
 unknown France
12322 PROXADFR false
216.239.120.101
 unknown United States
6623 CBSI-1US false
243.115.4.52
 unknown Reserved
unknown unknown false
89.146.240.88
 unknown Germany
8495 INTERNET_AGFrankfurt-Munich-Stuttgart-Amsterdam-LondonDE false
221.170.37.56
 unknown Japan 2518 BIGLOBEBIGLOBEIncJP false
73.191.86.218
 unknown United States
7922 COMCAST-7922US false
94.11.229.252
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
1.201.22.138
 unknown Korea Republic of
38099 KAKAO-AS-KRKakaoCorpKR false
31.156.41.151
 unknown Italy
30722 VODAFONE-IT-ASNIT false
211.43.179.175
 unknown Korea Republic of
7561 SAMSUNGELEC-AS-KRSamsungElectronicsCoKR false
120.202.209.113
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
186.106.106.120
 unknown Chile
7418 TELEFONICACHILESACL false
161.116.72.74
 unknown Spain
13041 CESCA-ACES false
195.225.21.96
 unknown Norway
25148 BASEFARM-ASNOslo-NorwayNO false
84.85.119.56
 unknown Netherlands
1136 KPNKPNNationalEU false
184.169.138.101
 unknown United States
16509 AMAZON-02US false
81.235.47.61
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
59.247.33.40
 unknown China
2516 KDDIKDDICORPORATIONJP false
62.76.192.45
 unknown Russian Federation
200135 FLEXSOFT-ASRU false
178.179.16.172
 unknown Russian Federation
25159 SONICDUO-ASRU false
23.26.94.58
 unknown United States
11798 ACEDATACENTERS-AS-1US false