Linux Analysis Report IcwrPqGkXP

Overview

General Information

Sample Name: IcwrPqGkXP
Analysis ID: 507447
MD5: 18fe913ce8856fc1ea6ebc0412e09da7
SHA1: ff1494dd42dcda452120a9af38a1f5550bd29c55
SHA256: dea614c4a0a319bb53e0d5d9b77d360e23d79e43e4c7a5179c9c3f6b66c26e74
Tags: 32elfmipsmirai
Infos:

Most interesting Screenshot:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample tries to kill many processes (SIGKILL)
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: IcwrPqGkXP Virustotal: Detection: 50% Perma Link
Source: IcwrPqGkXP ReversingLabs: Detection: 54%

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42082
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42082
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:48464
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36450
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36450
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56124
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:48672
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42336
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42336
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36516
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36516
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56172
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54750
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36576
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36576
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56204
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54778
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45858
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45882
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42560
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42570
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:42570 -> 120.194.66.6:23
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56270
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45906
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42582
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54854
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:42582 -> 120.194.66.6:23
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:48816
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42594
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36640
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36640
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45932
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42604
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42626
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42638
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57340
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42644
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45980
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54912
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42534
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42534
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42668
Source: Traffic Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42682
Source: Traffic Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:56922 -> 115.74.246.212:23
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56386
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46032
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55004
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57438
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46074
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36786
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36786
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46102
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56474
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57480
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46122
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57498
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55068
Source: Traffic Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46138
Source: Traffic Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:57052 -> 115.74.246.212:23
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56516
Source: Traffic Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:57058 -> 115.74.246.212:23
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:49060
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57528
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36874
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36874
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55152
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57602
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56608
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42804
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42804
Source: Traffic Snort IDS: 716 INFO TELNET access 220.85.117.10:23 -> 192.168.2.23:45420
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57634
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36996
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36996
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55212
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57666
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56672
Source: Traffic Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52606
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57778
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55348
Source: Traffic Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52606
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:37156
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:37156
Source: Traffic Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56804
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:49344
Source: Traffic Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52694
Source: Traffic Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52694
Source: Traffic Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55398
Source: Traffic Snort IDS: 492 INFO TELNET login failed 221.10.172.131:23 -> 192.168.2.23:42474
Source: Traffic Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52726
Source: Traffic Snort IDS: 716 INFO TELNET access 27.210.215.115:23 -> 192.168.2.23:37176
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:37224
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:37224
Source: Traffic Snort IDS: 716 INFO TELNET access 220.85.117.10:23 -> 192.168.2.23:45678
Source: Traffic Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52726
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 27.210.215.115:23 -> 192.168.2.23:37176
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 27.210.215.115:23 -> 192.168.2.23:37176
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:43088
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:43088
Source: Traffic Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52796
Source: Traffic Snort IDS: 492 INFO TELNET login failed 221.10.172.131:23 -> 192.168.2.23:42554
Source: Traffic Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52796
Source: Traffic Snort IDS: 716 INFO TELNET access 27.210.215.115:23 -> 192.168.2.23:37242
Source: Traffic Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52818
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:37312
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:37312
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 27.210.215.115:23 -> 192.168.2.23:37242
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 27.210.215.115:23 -> 192.168.2.23:37242
Source: Traffic Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52818
Source: Traffic Snort IDS: 492 INFO TELNET login failed 221.10.172.131:23 -> 192.168.2.23:42576
Source: Traffic Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57948
Source: Traffic Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52840
Source: Traffic Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:49502
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43252
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43256
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43260
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43268
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43278
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43286
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43290
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43316
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43292
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43322
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43342
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43344
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43362
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43366
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43374
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43360
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37882
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37884
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37888
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37890
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37892
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37896
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37898
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37900
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37908
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37914
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:44200 -> 176.126.175.188:1312
Sample listens on a socket
Source: /tmp/IcwrPqGkXP (PID: 5253) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) Socket: 0.0.0.0::22 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) Socket: 0.0.0.0::37215 Jump to behavior
Source: /usr/sbin/sshd (PID: 5290) Socket: [::]::22 Jump to behavior
Source: /usr/sbin/sshd (PID: 5405) Socket: 0.0.0.0::22 Jump to behavior
Source: /usr/sbin/sshd (PID: 5405) Socket: [::]::22 Jump to behavior
Source: /usr/sbin/sshd (PID: 5407) Socket: 0.0.0.0::22 Jump to behavior
Source: /usr/sbin/sshd (PID: 5407) Socket: [::]::22 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 176.126.175.188
Source: unknown TCP traffic detected without corresponding DNS query: 75.91.152.247
Source: unknown TCP traffic detected without corresponding DNS query: 184.237.126.242
Source: unknown TCP traffic detected without corresponding DNS query: 40.172.207.84
Source: unknown TCP traffic detected without corresponding DNS query: 183.218.255.83
Source: unknown TCP traffic detected without corresponding DNS query: 111.242.180.118
Source: unknown TCP traffic detected without corresponding DNS query: 171.59.92.231
Source: unknown TCP traffic detected without corresponding DNS query: 203.25.197.232
Source: unknown TCP traffic detected without corresponding DNS query: 118.2.251.79
Source: unknown TCP traffic detected without corresponding DNS query: 118.68.125.140
Source: unknown TCP traffic detected without corresponding DNS query: 38.74.198.225
Source: unknown TCP traffic detected without corresponding DNS query: 253.114.31.118
Source: unknown TCP traffic detected without corresponding DNS query: 108.211.59.236
Source: unknown TCP traffic detected without corresponding DNS query: 180.15.42.13
Source: unknown TCP traffic detected without corresponding DNS query: 169.50.228.79
Source: unknown TCP traffic detected without corresponding DNS query: 166.73.1.187
Source: unknown TCP traffic detected without corresponding DNS query: 155.111.169.178
Source: unknown TCP traffic detected without corresponding DNS query: 69.40.101.27
Source: unknown TCP traffic detected without corresponding DNS query: 194.3.176.129
Source: unknown TCP traffic detected without corresponding DNS query: 179.22.6.207
Source: unknown TCP traffic detected without corresponding DNS query: 212.177.222.62
Source: unknown TCP traffic detected without corresponding DNS query: 89.209.189.20
Source: unknown TCP traffic detected without corresponding DNS query: 71.68.153.155
Source: unknown TCP traffic detected without corresponding DNS query: 179.190.66.93
Source: unknown TCP traffic detected without corresponding DNS query: 191.62.73.5
Source: unknown TCP traffic detected without corresponding DNS query: 80.40.242.1
Source: unknown TCP traffic detected without corresponding DNS query: 252.19.250.113
Source: unknown TCP traffic detected without corresponding DNS query: 79.158.185.6
Source: unknown TCP traffic detected without corresponding DNS query: 86.152.55.178
Source: unknown TCP traffic detected without corresponding DNS query: 250.76.71.171
Source: unknown TCP traffic detected without corresponding DNS query: 145.187.24.155
Source: unknown TCP traffic detected without corresponding DNS query: 4.31.189.126
Source: unknown TCP traffic detected without corresponding DNS query: 95.9.175.225
Source: unknown TCP traffic detected without corresponding DNS query: 8.138.189.91
Source: unknown TCP traffic detected without corresponding DNS query: 217.216.63.38
Source: unknown TCP traffic detected without corresponding DNS query: 178.1.203.237
Source: unknown TCP traffic detected without corresponding DNS query: 77.69.105.75
Source: unknown TCP traffic detected without corresponding DNS query: 146.188.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 245.105.21.99
Source: unknown TCP traffic detected without corresponding DNS query: 147.125.98.210
Source: unknown TCP traffic detected without corresponding DNS query: 130.32.135.51
Source: unknown TCP traffic detected without corresponding DNS query: 197.87.52.245
Source: unknown TCP traffic detected without corresponding DNS query: 171.15.242.108
Source: unknown TCP traffic detected without corresponding DNS query: 133.158.120.223
Source: unknown TCP traffic detected without corresponding DNS query: 133.197.139.22
Source: unknown TCP traffic detected without corresponding DNS query: 119.230.119.116
Source: unknown TCP traffic detected without corresponding DNS query: 141.12.150.118
Source: unknown TCP traffic detected without corresponding DNS query: 176.117.57.57
Source: unknown TCP traffic detected without corresponding DNS query: 151.105.216.116

System Summary:

barindex
Sample tries to kill many processes (SIGKILL)
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5259, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2191, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5255, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5263, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5290, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5405, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5253, result: unknown Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) SIGKILL sent: pid: 936, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5259, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2191, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5255, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5263, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5290, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5405, result: successful Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) SIGKILL sent: pid: 5253, result: unknown Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5259) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal72.spre.troj.lin@0/6@0/0
Source: IcwrPqGkXP Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5263/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5263/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5265/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/4452/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5260/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/910/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5259/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5259/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/912/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/912/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/912/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/912/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/912/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/759/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/759/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/759/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/759/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/759/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/517/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/918/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/918/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/918/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/918/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/918/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5151/exe Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5274/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5275/fd Jump to behavior
Source: /tmp/IcwrPqGkXP (PID: 5253) File opened: /proc/5276/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43252
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43256
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43260
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43268
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43278
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43286
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43290
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43316
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43292
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43322
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43342
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43344
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43362
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43366
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43374
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43360
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37882
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37884
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37888
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37890
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37892
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37896
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37898
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37900
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37908
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37914

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/IcwrPqGkXP (PID: 5250) Queries kernel information via 'uname': Jump to behavior
Source: IcwrPqGkXP, 5250.1.0000000020017d06.000000003f0ad8fa.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: IcwrPqGkXP, 5250.1.0000000020017d06.000000003f0ad8fa.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: IcwrPqGkXP, 5253.1.000000003f0ad8fa.000000001a2aa0c5.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: IcwrPqGkXP, 5250.1.000000008c28e82d.0000000037a278d6.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: IcwrPqGkXP, 5253.1.000000003f0ad8fa.000000001a2aa0c5.rw-.sdmp Binary or memory string: U!/proc/2146/fd/11mips/pr1/usr/bin/vmtoolsdips/
Source: IcwrPqGkXP, 5250.1.000000008c28e82d.0000000037a278d6.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/IcwrPqGkXPSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IcwrPqGkXP
Source: IcwrPqGkXP, 5253.1.000000003f0ad8fa.000000001a2aa0c5.rw-.sdmp Binary or memory string: Uu-binfmt/mips/r10!/proc/1627/fd/14!/proc/797/fd/351/proc/1886/fd/48mips/r10!/proc/1627/fd/13!/proc/797/fd/361/proc/2096/fd/3/mips/r10!/proc/1627/fd/12!/proc/797/fd/371/proc/1886/fd/49mips/r10!/proc/1627/fd/10!/proc/797/fd/391/usr/bin/qemu-mipsps/r10!/proc/1627/fd/90!/proc/799/exe1/proc/1886/fd/50mips/r10!/proc/1627/fd/80!/proc/799/fd1/proc/2096/fd/2/mips/r10!/proc/1627/fd/70!/proc/799/fd/.1/proc/1886/fd/51mips/r10!/proc/1627/fd/60!/proc/799/fd/..10

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.142.57.149
 unknown United States
10967 HOMEDEPOTNETUS false
186.246.4.65
 unknown Brazil
7738 TelemarNorteLesteSABR false
136.244.180.180
 unknown United States
3606 CONNCOLL-ASUS false
114.246.134.99
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
87.99.160.241
 unknown Sweden
12501 NORRNODITSSE false
220.10.138.154
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
111.98.122.40
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
168.245.234.50
 unknown United States
393706 NELSONCABLEUS false
191.169.131.225
 unknown Brazil
26615 TIMSABR false
201.21.20.15
 unknown Brazil
28573 CLAROSABR false
115.191.0.168
 unknown China
7497 CSTNET-AS-APComputerNetworkInformationCenterCN false
182.67.0.254
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
184.254.1.5
 unknown United States
10507 SPCSUS false
149.12.44.6
 unknown United States
48945 IFNL-ASGB false
240.193.66.243
 unknown Reserved
unknown unknown false
216.221.62.137
 unknown Canada
6280 SYNAPSECA false
130.250.57.142
 unknown United States
394901 VXCHNGE-TX01US false
92.210.255.138
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
175.244.101.81
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
109.226.128.16
 unknown Germany
21032 TELTA-ASDE false
133.120.23.87
 unknown Japan 2522 PPP-EXPJapanNetworkInformationCenterJP false
148.70.47.116
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
42.203.248.247
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
60.158.0.171
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
151.112.119.144
 unknown United States
32480 LLUMCUS false
110.111.113.82
 unknown China
38341 CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN false
113.180.223.7
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
61.185.194.127
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
67.206.151.115
 unknown United States
26857 TRUSTCOMM-ASUS false
158.126.37.100
 unknown Sweden
31756 COLORADOSPRINGS-GOVUS false
213.146.201.54
 unknown Portugal
5626 ONIInternetServiceProviderPT false
59.19.24.218
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
155.2.116.79
 unknown United States
2386 INS-ASUS false
85.45.125.184
 unknown Italy
3269 ASN-IBSNAZIT false
5.160.167.152
 unknown Iran (ISLAMIC Republic Of)
42337 RESPINA-ASIR false
31.121.69.183
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
159.7.220.25
 unknown Sweden
1906 NORTHROP-GRUMMANUS false
83.44.49.14
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
84.247.123.155
 unknown Romania
60509 TELEPERFORMANCE-ASRO false
216.80.250.213
 unknown United States
7029 WINDSTREAMUS false
61.111.143.75
 unknown Korea Republic of
4670 HYUNDAI-KRShinbiroKR false
93.169.65.140
 unknown Saudi Arabia
39891 ALJAWWALSTC-ASSA false
195.223.249.170
 unknown Italy
3269 ASN-IBSNAZIT false
8.135.206.253
 unknown Singapore
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
192.244.191.206
 unknown Japan 11363 FUJITSU-USAUS false
138.236.115.201
 unknown United States
17234 GACUS false
94.42.249.41
 unknown Poland
5588 GTSCEGTSCentralEuropeAntelGermanyCZ false
199.3.5.110
 unknown United States
1239 SPRINTLINKUS false
149.115.226.181
 unknown United States
174 COGENT-174US false
96.66.178.36
 unknown United States
7922 COMCAST-7922US false
195.66.5.176
 unknown Germany
9063 SAARGATE-ASVSENETGmbHDE false
121.201.230.87
 unknown China
17623 CNCGROUP-SZChinaUnicomShenzennetworkCN false
188.13.148.235
 unknown Italy
3269 ASN-IBSNAZIT false
246.179.47.128
 unknown Reserved
unknown unknown false
246.9.73.167
 unknown Reserved
unknown unknown false
164.113.178.223
 unknown United States
2495 KANRENUS false
44.26.197.42
 unknown United States
63069 SURELINEUS false
197.2.84.140
 unknown Tunisia
37705 TOPNETTN false
78.50.41.178
 unknown Germany
6805 TDDE-ASN1DE false
38.217.98.240
 unknown United States
174 COGENT-174US false
115.247.124.243
 unknown India
55836 RELIANCEJIO-INRelianceJioInfocommLimitedIN false
184.11.40.157
 unknown United States
7011 FRONTIER-AND-CITIZENSUS false
16.142.65.134
 unknown United States
unknown unknown false
204.8.204.13
 unknown Angola
328165 Banco-de-Investimento-RuralAO false
223.221.104.203
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
45.145.30.173
 unknown Turkey
197328 INETLTDTR false
82.141.139.16
 unknown Hungary
12301 INVITECHHU false
219.21.25.139
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
185.70.34.116
 unknown United Kingdom
201353 NSUKGB false
35.84.199.85
 unknown United States
237 MERIT-AS-14US false
48.233.101.228
 unknown United States
2686 ATGS-MMD-ASUS false
175.219.69.250
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
76.145.199.51
 unknown United States
7922 COMCAST-7922US false
123.73.29.199
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
221.163.247.179
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
183.3.52.187
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
17.109.252.29
 unknown United States
714 APPLE-ENGINEERINGUS false
99.48.195.62
 unknown United States
7018 ATT-INTERNET4US false
102.112.147.46
 unknown Mauritius
23889 MauritiusTelecomMU false
222.43.48.173
 unknown China
45069 CNNIC-CTTSDNET-APchinatietongShandongnetCN false
117.186.4.82
 unknown China
24400 CMNET-V4SHANGHAI-AS-APShanghaiMobileCommunicationsCoLt false
96.1.87.79
 unknown Canada
852 ASN852CA false
157.10.154.106
 unknown unknown
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
247.78.135.221
 unknown Reserved
unknown unknown false
71.161.252.154
 unknown United States
701 UUNETUS false
72.113.124.144
 unknown United States
22394 CELLCOUS false
115.30.102.59
 unknown Taiwan; Republic of China (ROC)
133747 TRIUMPH-AS-APTRIUMPHDYNASTYLimitedHK false
121.231.7.49
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
254.5.211.44
 unknown Reserved
unknown unknown false
97.250.16.26
 unknown United States
6167 CELLCO-PARTUS false
85.136.14.63
 unknown Spain
12357 COMUNITELSPAINES false
211.91.48.146
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
48.171.221.80
 unknown United States
2686 ATGS-MMD-ASUS false
9.172.67.125
 unknown United States
3356 LEVEL3US false
255.56.145.124
 unknown Reserved
unknown unknown false
203.27.10.136
 unknown China
2764 AAPTAAPTLimitedAU false
106.34.174.230
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
210.226.36.155
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
32.1.117.241
 unknown United States
2686 ATGS-MMD-ASUS false
212.249.81.39
 unknown Switzerland
702 UUNETUS false