Linux Analysis Report Rpl2Twyrts

Overview

General Information

Sample Name:	Rpl2Twyrts
Analysis ID:	507421
MD5:	4635e3761f10a21d01fec0df9fa36e2f
SHA1:	a33d4b91fc25603b0ed98b17381f6a6e017f6c32
SHA256:	91ccea41a26fce7feab89f9b17c889b9f7c37f29b5b5a9390a7d3f2990f43cfa
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Rpl2Twyrts	Virustotal: Detection: 50%			Perma Link
Source: Rpl2Twyrts	ReversingLabs: Detection: 53%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33338
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.218.14.34:23 -> 192.168.2.23:41338
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.218.14.34:23 -> 192.168.2.23:41376
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 92.34.49.134: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34686
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34686
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43666
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43694
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43696
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43730
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34742
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34742
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43736
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43746
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43752
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33544
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33544
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43762
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:34908
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43772
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43782
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:41952
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:41952
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:34954
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42000
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35004
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35022
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43856
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34940
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33688
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42056
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42056
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43856
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35044
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43872
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:51930
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:51930
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34968
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35074
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43872
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43920
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:51964
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:51964
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:35000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:35000
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35152
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43920
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42210
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42210
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53378
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:44042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:52076
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:52076
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:35136
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:35136
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:44042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33888
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.114.224.143:23 -> 192.168.2.23:60320
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.114.224.143:23 -> 192.168.2.23:60320
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35240
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42274
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42274
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53446
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:52138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:52138

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47778

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:44200 -> 176.126.175.188:1312

Sample listens on a socket

Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 5290)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5290)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.126.175.188
Source: unknown	TCP traffic detected without corresponding DNS query: 99.22.166.11
Source: unknown	TCP traffic detected without corresponding DNS query: 63.165.84.11
Source: unknown	TCP traffic detected without corresponding DNS query: 223.195.0.116
Source: unknown	TCP traffic detected without corresponding DNS query: 35.118.13.8
Source: unknown	TCP traffic detected without corresponding DNS query: 149.182.9.19
Source: unknown	TCP traffic detected without corresponding DNS query: 24.8.223.69
Source: unknown	TCP traffic detected without corresponding DNS query: 182.145.206.142
Source: unknown	TCP traffic detected without corresponding DNS query: 9.67.65.67
Source: unknown	TCP traffic detected without corresponding DNS query: 240.16.115.86
Source: unknown	TCP traffic detected without corresponding DNS query: 12.43.212.21
Source: unknown	TCP traffic detected without corresponding DNS query: 108.55.127.139
Source: unknown	TCP traffic detected without corresponding DNS query: 201.247.47.135
Source: unknown	TCP traffic detected without corresponding DNS query: 9.169.231.174
Source: unknown	TCP traffic detected without corresponding DNS query: 223.11.182.21
Source: unknown	TCP traffic detected without corresponding DNS query: 175.215.68.114
Source: unknown	TCP traffic detected without corresponding DNS query: 76.131.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 204.186.55.14
Source: unknown	TCP traffic detected without corresponding DNS query: 104.42.93.127
Source: unknown	TCP traffic detected without corresponding DNS query: 91.185.36.65
Source: unknown	TCP traffic detected without corresponding DNS query: 73.185.144.44
Source: unknown	TCP traffic detected without corresponding DNS query: 46.44.202.14
Source: unknown	TCP traffic detected without corresponding DNS query: 146.90.157.91
Source: unknown	TCP traffic detected without corresponding DNS query: 207.19.164.238
Source: unknown	TCP traffic detected without corresponding DNS query: 2.5.107.224
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.217.140
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.14.64
Source: unknown	TCP traffic detected without corresponding DNS query: 72.239.120.156
Source: unknown	TCP traffic detected without corresponding DNS query: 164.30.143.68
Source: unknown	TCP traffic detected without corresponding DNS query: 155.206.205.161
Source: unknown	TCP traffic detected without corresponding DNS query: 19.156.56.61
Source: unknown	TCP traffic detected without corresponding DNS query: 51.5.236.88
Source: unknown	TCP traffic detected without corresponding DNS query: 206.22.155.20
Source: unknown	TCP traffic detected without corresponding DNS query: 170.182.30.23
Source: unknown	TCP traffic detected without corresponding DNS query: 66.95.128.129
Source: unknown	TCP traffic detected without corresponding DNS query: 67.85.248.138
Source: unknown	TCP traffic detected without corresponding DNS query: 209.218.75.6
Source: unknown	TCP traffic detected without corresponding DNS query: 104.187.122.215
Source: unknown	TCP traffic detected without corresponding DNS query: 218.248.90.54
Source: unknown	TCP traffic detected without corresponding DNS query: 218.93.181.123
Source: unknown	TCP traffic detected without corresponding DNS query: 76.42.25.135
Source: unknown	TCP traffic detected without corresponding DNS query: 211.104.2.117
Source: unknown	TCP traffic detected without corresponding DNS query: 203.176.253.233
Source: unknown	TCP traffic detected without corresponding DNS query: 149.176.173.143
Source: unknown	TCP traffic detected without corresponding DNS query: 170.185.42.8
Source: unknown	TCP traffic detected without corresponding DNS query: 187.248.51.123
Source: unknown	TCP traffic detected without corresponding DNS query: 125.220.33.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.187.68.56
Source: unknown	TCP traffic detected without corresponding DNS query: 211.170.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 117.189.183.121

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/Rpl2Twyrts (PID: 5248)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 5248, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/Rpl2Twyrts (PID: 5248)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 5248, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.lin@0/2@0/0

Source: Rpl2Twyrts

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5272/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5273/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5274/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5275/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5276/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5277/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5278/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5279/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5270/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5271/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47778

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Rpl2Twyrts (PID: 5246)

Queries kernel information via 'uname':

Jump to behavior

Source: Rpl2Twyrts, 5246.1.00000000e46a4f04.0000000018f5b09c.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Rpl2Twyrts, 5246.1.00000000e46a4f04.0000000018f5b09c.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: Rpl2Twyrts, 5246.1.000000006915b6a7.0000000099a0e5b4.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/Rpl2TwyrtsSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Rpl2Twyrts
Source: Rpl2Twyrts, 5246.1.000000006915b6a7.0000000099a0e5b4.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
39.203.104.226	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
190.89.152.5	unknown	unknown	270374	KINGTELECOMUNICACOESBR	false
160.248.184.59	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
86.237.87.136	unknown	France	3215	FranceTelecom-OrangeFR	false
159.178.169.160	unknown	United States	6356	NERDCNETUS	false
198.117.113.163	unknown	United States	297	AS297US	false
170.131.168.48	unknown	United States	13954	STAPLESUS	false
77.152.117.114	unknown	France	15557	LDCOMNETFR	false
187.196.136.136	unknown	Mexico	8151	UninetSAdeCVMX	false
183.206.48.83	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
155.93.197.94	unknown	South Africa	37680	COOL-IDEASZA	false
118.155.201.133	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
65.37.101.238	unknown	United States	5650	FRONTIER-FRTRUS	false
42.21.33.100	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
45.226.163.131	unknown	Brazil	267045	EASYCONNECTTECNOLOGIAJACILTDABR	false
153.233.14.113	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
98.23.53.159	unknown	United States	7029	WINDSTREAMUS	false
64.253.255.224	unknown	United States	20428	GLOWPOINT-ASUS	false
160.199.79.178	unknown	Japan	7679	QTNETQTnetIncJP	false
93.249.80.159	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
74.217.215.131	unknown	United States	12182	INTERNAP-2BLKUS	false
88.74.255.198	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
58.21.123.207	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
70.63.62.155	unknown	United States	10796	TWC-10796-MIDWESTUS	false
200.138.172.31	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
161.249.2.143	unknown	United States	396269	BPL-ASNUS	false
158.34.189.234	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
84.38.119.247	unknown	Austria	43939	INTERNETIA_ETTH2-ASNoc-BialystokPL	false
8.156.46.207	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
211.11.169.244	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
12.121.131.53	unknown	United States	7018	ATT-INTERNET4US	false
179.73.32.17	unknown	Brazil	26615	TIMSABR	false
75.203.112.61	unknown	United States	22394	CELLCOUS	false
82.174.187.190	unknown	Netherlands	13127	VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo	false
186.57.123.203	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
115.136.104.95	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
110.144.98.170	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
105.118.219.175	unknown	Nigeria	36873	VNL1-ASNG	false
19.180.211.252	unknown	United States	3	MIT-GATEWAYSUS	false
100.15.26.7	unknown	United States	701	UUNETUS	false
158.47.217.111	unknown	Italy	12551	AS-ENEL-IT	false
251.36.138.169	unknown	Reserved	unknown	unknown	false
84.50.15.196	unknown	Estonia	3249	ESTPAKEE	false
251.246.87.35	unknown	Reserved	unknown	unknown	false
80.194.99.5	unknown	United Kingdom	5089	NTLGB	false
162.195.248.48	unknown	United States	7018	ATT-INTERNET4US	false
190.40.159.241	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
31.18.171.187	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
87.204.237.150	unknown	Poland	12741	AS-NETIAWarszawa02-822PL	false
27.12.141.82	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
58.250.84.179	unknown	China	17623	CNCGROUP-SZChinaUnicomShenzennetworkCN	false
149.212.83.51	unknown	Denmark	8386	KOCNETTR	false
37.52.64.35	unknown	Ukraine	6849	UKRTELNETUA	false
191.96.28.113	unknown	Chile	61317	ASDETUKhttpwwwheficedcomGB	false
104.186.4.233	unknown	United States	7018	ATT-INTERNET4US	false
124.181.3.104	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
242.153.131.112	unknown	Reserved	unknown	unknown	false
198.101.133.16	unknown	United States	19994	RACKSPACEUS	false
125.113.41.119	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
112.99.82.219	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
103.146.47.155	unknown	unknown	139848	SHIPL-AS-APSAFEGUARDHOMEIMPROVEMENTSPTYLTDAU	false
182.26.120.99	unknown	Indonesia	4795	INDOSATM2-IDINDOSATM2ASNID	false
120.21.19.134	unknown	Australia	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
90.78.51.144	unknown	France	3215	FranceTelecom-OrangeFR	false
108.22.114.219	unknown	United States	701	UUNETUS	false
42.222.34.226	unknown	China	4249	LILLY-ASUS	false
19.146.221.131	unknown	United States	3	MIT-GATEWAYSUS	false
170.244.191.219	unknown	Argentina	265630	COMISSODANTEANIBALAR	false
187.111.50.119	unknown	Brazil	262711	TURBOMAXTELECOMUNICACOESLTDABR	false
70.196.121.123	unknown	United States	6167	CELLCO-PARTUS	false
247.151.111.14	unknown	Reserved	unknown	unknown	false
37.11.20.196	unknown	Spain	12479	UNI2-ASES	false
209.146.99.63	unknown	United States	395753	KKRUS	false
87.48.91.173	unknown	Denmark	3292	TDCTDCASDK	false
91.228.76.149	unknown	Russian Federation	56864	WELLSERVER-ASRU	false
146.93.13.52	unknown	United States	18709	BOTWUS	false
71.219.170.252	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
23.235.61.72	unknown	United States	64252	ATSIUS	false
141.216.159.236	unknown	United States	394769	UMF-7-ASUS	false
111.146.116.201	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
192.232.122.104	unknown	United States	5647	ASN-KODAKUS	false
95.36.120.123	unknown	Netherlands	15670	BBNED-AS1NL	false
103.187.81.173	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
97.223.137.109	unknown	United States	6167	CELLCO-PARTUS	false
133.167.242.237	unknown	Japan	9371	SAKURA-CSAKURAInternetIncJP	false
95.183.142.160	unknown	Turkey	8517	ULAKNETTR	false
159.28.99.182	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
241.198.25.193	unknown	Reserved	unknown	unknown	false
251.102.148.138	unknown	Reserved	unknown	unknown	false
83.106.59.198	unknown	United Kingdom	2529	DEMON-INTERNETNowmaintainedbyCableWirelessWorldwide	false
138.244.67.215	unknown	Germany	12816	MWN-ASDE	false
43.88.162.92	unknown	Japan	4249	LILLY-ASUS	false
162.30.154.204	unknown	United States	46483	RGHSUS	false
90.95.34.132	unknown	France	8953	ASN-ORANGE-ROMANIARO	false
82.47.8.178	unknown	United Kingdom	5089	NTLGB	false
43.99.42.139	unknown	Japan	4249	LILLY-ASUS	false
180.87.26.156	unknown	India	6453	AS6453US	false
115.163.218.70	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
244.243.93.7	unknown	Reserved	unknown	unknown	false
19.30.92.146	unknown	United States	3	MIT-GATEWAYSUS	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: Rpl2Twyrts	Virustotal: Detection: 50%			Perma Link
Source: Rpl2Twyrts	ReversingLabs: Detection: 53%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33338
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.218.14.34:23 -> 192.168.2.23:41338
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34618
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.218.14.34:23 -> 192.168.2.23:41376
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 92.34.49.134: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34686
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34686
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43666
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43694
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43696
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43730
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34742
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34742
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43736
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43746
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43752
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33544
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33544
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43762
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:34908
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43772
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.232.219:23 -> 192.168.2.23:43782
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34832
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:41952
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:41952
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:34954
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42000
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35004
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35022
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43856
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34940
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33688
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42056
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42056
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43856
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35044
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43872
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:51930
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:51930
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:34968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:34968
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35074
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 111.118.117.166:23 -> 192.168.2.23:59234
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43872
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:43920
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:51964
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:51964
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:35000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:35000
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35152
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:43920
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42210
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42210
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 111.118.117.166:23 -> 192.168.2.23:59358
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53378
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.155.111.226:23 -> 192.168.2.23:44042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:52076
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:52076
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.137.0.70:23 -> 192.168.2.23:35136
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.137.0.70:23 -> 192.168.2.23:35136
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.155.111.226:23 -> 192.168.2.23:44042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.105.51.241:23 -> 192.168.2.23:33888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.105.51.241:23 -> 192.168.2.23:33888
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.114.224.143:23 -> 192.168.2.23:60320
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.114.224.143:23 -> 192.168.2.23:60320
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 117.141.39.60:23 -> 192.168.2.23:35240
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.118.117.166:23 -> 192.168.2.23:59424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 121.190.249.90:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.186.111:23 -> 192.168.2.23:42274
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.186.111:23 -> 192.168.2.23:42274
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.190.249.90:23 -> 192.168.2.23:53446
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 79.134.5.70:23 -> 192.168.2.23:52138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 79.134.5.70:23 -> 192.168.2.23:52138

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47778

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:44200 -> 176.126.175.188:1312

Sample listens on a socket

Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5248)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 5290)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5290)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.126.175.188
Source: unknown	TCP traffic detected without corresponding DNS query: 99.22.166.11
Source: unknown	TCP traffic detected without corresponding DNS query: 63.165.84.11
Source: unknown	TCP traffic detected without corresponding DNS query: 223.195.0.116
Source: unknown	TCP traffic detected without corresponding DNS query: 35.118.13.8
Source: unknown	TCP traffic detected without corresponding DNS query: 149.182.9.19
Source: unknown	TCP traffic detected without corresponding DNS query: 24.8.223.69
Source: unknown	TCP traffic detected without corresponding DNS query: 182.145.206.142
Source: unknown	TCP traffic detected without corresponding DNS query: 9.67.65.67
Source: unknown	TCP traffic detected without corresponding DNS query: 240.16.115.86
Source: unknown	TCP traffic detected without corresponding DNS query: 12.43.212.21
Source: unknown	TCP traffic detected without corresponding DNS query: 108.55.127.139
Source: unknown	TCP traffic detected without corresponding DNS query: 201.247.47.135
Source: unknown	TCP traffic detected without corresponding DNS query: 9.169.231.174
Source: unknown	TCP traffic detected without corresponding DNS query: 223.11.182.21
Source: unknown	TCP traffic detected without corresponding DNS query: 175.215.68.114
Source: unknown	TCP traffic detected without corresponding DNS query: 76.131.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 204.186.55.14
Source: unknown	TCP traffic detected without corresponding DNS query: 104.42.93.127
Source: unknown	TCP traffic detected without corresponding DNS query: 91.185.36.65
Source: unknown	TCP traffic detected without corresponding DNS query: 73.185.144.44
Source: unknown	TCP traffic detected without corresponding DNS query: 46.44.202.14
Source: unknown	TCP traffic detected without corresponding DNS query: 146.90.157.91
Source: unknown	TCP traffic detected without corresponding DNS query: 207.19.164.238
Source: unknown	TCP traffic detected without corresponding DNS query: 2.5.107.224
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.217.140
Source: unknown	TCP traffic detected without corresponding DNS query: 193.187.14.64
Source: unknown	TCP traffic detected without corresponding DNS query: 72.239.120.156
Source: unknown	TCP traffic detected without corresponding DNS query: 164.30.143.68
Source: unknown	TCP traffic detected without corresponding DNS query: 155.206.205.161
Source: unknown	TCP traffic detected without corresponding DNS query: 19.156.56.61
Source: unknown	TCP traffic detected without corresponding DNS query: 51.5.236.88
Source: unknown	TCP traffic detected without corresponding DNS query: 206.22.155.20
Source: unknown	TCP traffic detected without corresponding DNS query: 170.182.30.23
Source: unknown	TCP traffic detected without corresponding DNS query: 66.95.128.129
Source: unknown	TCP traffic detected without corresponding DNS query: 67.85.248.138
Source: unknown	TCP traffic detected without corresponding DNS query: 209.218.75.6
Source: unknown	TCP traffic detected without corresponding DNS query: 104.187.122.215
Source: unknown	TCP traffic detected without corresponding DNS query: 218.248.90.54
Source: unknown	TCP traffic detected without corresponding DNS query: 218.93.181.123
Source: unknown	TCP traffic detected without corresponding DNS query: 76.42.25.135
Source: unknown	TCP traffic detected without corresponding DNS query: 211.104.2.117
Source: unknown	TCP traffic detected without corresponding DNS query: 203.176.253.233
Source: unknown	TCP traffic detected without corresponding DNS query: 149.176.173.143
Source: unknown	TCP traffic detected without corresponding DNS query: 170.185.42.8
Source: unknown	TCP traffic detected without corresponding DNS query: 187.248.51.123
Source: unknown	TCP traffic detected without corresponding DNS query: 125.220.33.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.187.68.56
Source: unknown	TCP traffic detected without corresponding DNS query: 211.170.82.218
Source: unknown	TCP traffic detected without corresponding DNS query: 117.189.183.121

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/Rpl2Twyrts (PID: 5248)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 5248, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/Rpl2Twyrts (PID: 5248)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 5248, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.lin@0/2@0/0

Source: Rpl2Twyrts

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5272/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5273/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5274/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5275/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5276/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5277/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5278/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5279/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5270/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/5271/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/Rpl2Twyrts (PID: 5254)	File opened: /proc/1344/exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47778

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Rpl2Twyrts (PID: 5246)

Queries kernel information via 'uname':

Jump to behavior

Source: Rpl2Twyrts, 5246.1.00000000e46a4f04.0000000018f5b09c.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Rpl2Twyrts, 5246.1.00000000e46a4f04.0000000018f5b09c.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: Rpl2Twyrts, 5246.1.000000006915b6a7.0000000099a0e5b4.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/Rpl2TwyrtsSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Rpl2Twyrts
Source: Rpl2Twyrts, 5246.1.000000006915b6a7.0000000099a0e5b4.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	507421
Product:	CloudBasic
Start time:	08:36:22
Start date:	22.10.2021
Sample:	Rpl2Twyrts
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	4635e3761f10a21d01fec0df9fa36e2f
SHA1:	a33d4b91fc25603b0ed98b17381f6a6e017f6c32
SHA256:	91ccea41a26fce7feab89f9b17c889b9f7c37f29b5b5a9390a7d3f2990f43cfa
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5290/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	3FD0BF07C83F464293873F94C4FEBF64	A10B2D66A4BA43FC3B81098BD761343051789CC0	CD46DE89F7C34FEBE64A548F2A948CC6B9E8AF9724A496B28331DBE09769F79E

Linux Analysis Report Rpl2Twyrts

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs