Play interactive tour

Edit tour

Linux Analysis Report IcwrPqGkXP

Overview

General Information

Sample Name:	IcwrPqGkXP
Analysis ID:	507447
MD5:	18fe913ce8856fc1ea6ebc0412e09da7
SHA1:	ff1494dd42dcda452120a9af38a1f5550bd29c55
SHA256:	dea614c4a0a319bb53e0d5d9b77d360e23d79e43e4c7a5179c9c3f6b66c26e74
Tags:	32elfmipsmirai
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	507447
Start date:	22.10.2021
Start time:	09:08:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	IcwrPqGkXP
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.spre.troj.lin@0/6@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

IcwrPqGkXP (PID: 5250, Parent: 5121, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/IcwrPqGkXP

IcwrPqGkXP New Fork (PID: 5253, Parent: 5250)

IcwrPqGkXP New Fork (PID: 5254, Parent: 5250)

IcwrPqGkXP New Fork (PID: 5255, Parent: 5250)

IcwrPqGkXP New Fork (PID: 5259, Parent: 5255)

IcwrPqGkXP New Fork (PID: 5261, Parent: 5255)

IcwrPqGkXP New Fork (PID: 5263, Parent: 5255)

systemd New Fork (PID: 5287, Parent: 1)

sshd (PID: 5287, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5290, Parent: 1)

sshd (PID: 5290, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5404, Parent: 1)

sshd (PID: 5404, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5405, Parent: 1)

sshd (PID: 5405, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5406, Parent: 1)

sshd (PID: 5406, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5407, Parent: 1)

sshd (PID: 5407, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: IcwrPqGkXP	Virustotal: Detection: 50%			Perma Link
Source: IcwrPqGkXP	ReversingLabs: Detection: 54%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42082
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42082
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:48464
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36450
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36450
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56124
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:48672
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42336
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42336
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36516
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36516
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56172
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54750
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36576
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36576
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56204
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54778
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45858
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45882
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42560
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42570
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:42570 -> 120.194.66.6:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56270
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45906
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42582
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54854
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:42582 -> 120.194.66.6:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:48816
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42594
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36640
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36640
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45932
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42604
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42626
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42638
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57340
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42644
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:45980
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:54912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42534
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42534
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42668
Source: Traffic	Snort IDS: 716 INFO TELNET access 120.194.66.6:23 -> 192.168.2.23:42682
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:56922 -> 115.74.246.212:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56386
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46032
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55004
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57438
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46074
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36786
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36786
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46102
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56474
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57480
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46122
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55068
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.140.151.163:23 -> 192.168.2.23:46138
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:57052 -> 115.74.246.212:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56516
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:57058 -> 115.74.246.212:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:49060
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57528
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36874
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55152
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57602
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56608
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:42804
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:42804
Source: Traffic	Snort IDS: 716 INFO TELNET access 220.85.117.10:23 -> 192.168.2.23:45420
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:36996
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:36996
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55212
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57666
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56672
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52606
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57778
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55348
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52606
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:37156
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:37156
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.231.185.250:23 -> 192.168.2.23:56804
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:49344
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52694
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52694
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 46.171.37.170:23 -> 192.168.2.23:55398
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.10.172.131:23 -> 192.168.2.23:42474
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52726
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.210.215.115:23 -> 192.168.2.23:37176
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:37224
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:37224
Source: Traffic	Snort IDS: 716 INFO TELNET access 220.85.117.10:23 -> 192.168.2.23:45678
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52726
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.210.215.115:23 -> 192.168.2.23:37176
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.210.215.115:23 -> 192.168.2.23:37176
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.238.96.121:23 -> 192.168.2.23:43088
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.238.96.121:23 -> 192.168.2.23:43088
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52796
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.10.172.131:23 -> 192.168.2.23:42554
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52796
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.210.215.115:23 -> 192.168.2.23:37242
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52818
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.177.144.56:23 -> 192.168.2.23:37312
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.177.144.56:23 -> 192.168.2.23:37312
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.210.215.115:23 -> 192.168.2.23:37242
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.210.215.115:23 -> 192.168.2.23:37242
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.15.180.40:23 -> 192.168.2.23:52818
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.10.172.131:23 -> 192.168.2.23:42576
Source: Traffic	Snort IDS: 716 INFO TELNET access 162.251.124.166:23 -> 192.168.2.23:57948
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.15.180.40:23 -> 192.168.2.23:52840
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.220.29.174:23 -> 192.168.2.23:49502

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43252
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43256
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43260
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43272
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43268
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43316
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43322
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43342
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43344
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43362
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43374
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37882
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37884
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37890
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37896
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37900
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37908
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37914

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443

Source: global traffic

TCP traffic: 192.168.2.23:44200 -> 176.126.175.188:1312

Source: /tmp/IcwrPqGkXP (PID: 5253)	Socket: 0.0.0.0::0
Source: /tmp/IcwrPqGkXP (PID: 5253)	Socket: 0.0.0.0::23
Source: /tmp/IcwrPqGkXP (PID: 5253)	Socket: 0.0.0.0::53413
Source: /tmp/IcwrPqGkXP (PID: 5253)	Socket: 0.0.0.0::80
Source: /tmp/IcwrPqGkXP (PID: 5253)	Socket: 0.0.0.0::52869
Source: /tmp/IcwrPqGkXP (PID: 5253)	Socket: 0.0.0.0::37215
Source: /tmp/IcwrPqGkXP (PID: 5259)	Socket: 0.0.0.0::22
Source: /tmp/IcwrPqGkXP (PID: 5259)	Socket: 0.0.0.0::23
Source: /tmp/IcwrPqGkXP (PID: 5259)	Socket: 0.0.0.0::53413
Source: /tmp/IcwrPqGkXP (PID: 5259)	Socket: 0.0.0.0::80
Source: /tmp/IcwrPqGkXP (PID: 5259)	Socket: 0.0.0.0::52869
Source: /tmp/IcwrPqGkXP (PID: 5259)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 5290)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5405)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5405)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5407)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5407)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 176.126.175.188
Source: unknown	TCP traffic detected without corresponding DNS query: 75.91.152.247
Source: unknown	TCP traffic detected without corresponding DNS query: 184.237.126.242
Source: unknown	TCP traffic detected without corresponding DNS query: 40.172.207.84
Source: unknown	TCP traffic detected without corresponding DNS query: 183.218.255.83
Source: unknown	TCP traffic detected without corresponding DNS query: 111.242.180.118
Source: unknown	TCP traffic detected without corresponding DNS query: 171.59.92.231
Source: unknown	TCP traffic detected without corresponding DNS query: 203.25.197.232
Source: unknown	TCP traffic detected without corresponding DNS query: 118.2.251.79
Source: unknown	TCP traffic detected without corresponding DNS query: 118.68.125.140
Source: unknown	TCP traffic detected without corresponding DNS query: 38.74.198.225
Source: unknown	TCP traffic detected without corresponding DNS query: 253.114.31.118
Source: unknown	TCP traffic detected without corresponding DNS query: 108.211.59.236
Source: unknown	TCP traffic detected without corresponding DNS query: 180.15.42.13
Source: unknown	TCP traffic detected without corresponding DNS query: 169.50.228.79
Source: unknown	TCP traffic detected without corresponding DNS query: 166.73.1.187
Source: unknown	TCP traffic detected without corresponding DNS query: 155.111.169.178
Source: unknown	TCP traffic detected without corresponding DNS query: 69.40.101.27
Source: unknown	TCP traffic detected without corresponding DNS query: 194.3.176.129
Source: unknown	TCP traffic detected without corresponding DNS query: 179.22.6.207
Source: unknown	TCP traffic detected without corresponding DNS query: 212.177.222.62
Source: unknown	TCP traffic detected without corresponding DNS query: 89.209.189.20
Source: unknown	TCP traffic detected without corresponding DNS query: 71.68.153.155
Source: unknown	TCP traffic detected without corresponding DNS query: 179.190.66.93
Source: unknown	TCP traffic detected without corresponding DNS query: 191.62.73.5
Source: unknown	TCP traffic detected without corresponding DNS query: 80.40.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 252.19.250.113
Source: unknown	TCP traffic detected without corresponding DNS query: 79.158.185.6
Source: unknown	TCP traffic detected without corresponding DNS query: 86.152.55.178
Source: unknown	TCP traffic detected without corresponding DNS query: 250.76.71.171
Source: unknown	TCP traffic detected without corresponding DNS query: 145.187.24.155
Source: unknown	TCP traffic detected without corresponding DNS query: 4.31.189.126
Source: unknown	TCP traffic detected without corresponding DNS query: 95.9.175.225
Source: unknown	TCP traffic detected without corresponding DNS query: 8.138.189.91
Source: unknown	TCP traffic detected without corresponding DNS query: 217.216.63.38
Source: unknown	TCP traffic detected without corresponding DNS query: 178.1.203.237
Source: unknown	TCP traffic detected without corresponding DNS query: 77.69.105.75
Source: unknown	TCP traffic detected without corresponding DNS query: 146.188.2.100
Source: unknown	TCP traffic detected without corresponding DNS query: 245.105.21.99
Source: unknown	TCP traffic detected without corresponding DNS query: 147.125.98.210
Source: unknown	TCP traffic detected without corresponding DNS query: 130.32.135.51
Source: unknown	TCP traffic detected without corresponding DNS query: 197.87.52.245
Source: unknown	TCP traffic detected without corresponding DNS query: 171.15.242.108
Source: unknown	TCP traffic detected without corresponding DNS query: 133.158.120.223
Source: unknown	TCP traffic detected without corresponding DNS query: 133.197.139.22
Source: unknown	TCP traffic detected without corresponding DNS query: 119.230.119.116
Source: unknown	TCP traffic detected without corresponding DNS query: 141.12.150.118
Source: unknown	TCP traffic detected without corresponding DNS query: 176.117.57.57
Source: unknown	TCP traffic detected without corresponding DNS query: 151.105.216.116

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5259, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5255, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5263, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5290, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5405, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5253, result: unknown
Source: /tmp/IcwrPqGkXP (PID: 5259)	SIGKILL sent: pid: 936, result: successful

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5259, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2191, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5255, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5263, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5290, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5405, result: successful
Source: /tmp/IcwrPqGkXP (PID: 5253)	SIGKILL sent: pid: 5253, result: unknown
Source: /tmp/IcwrPqGkXP (PID: 5259)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal72.spre.troj.lin@0/6@0/0

Source: IcwrPqGkXP

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5263/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5263/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5265/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/4452/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2033/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2033/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2033/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2033/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2033/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1582/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1582/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1582/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1582/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1582/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2275/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2275/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2275/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/3088/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5260/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1612/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1612/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1612/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1612/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1612/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1579/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1579/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1579/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1579/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1579/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1699/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1699/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1699/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1699/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1699/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1335/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1335/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1335/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1698/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1698/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1698/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1698/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1698/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2028/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2028/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2028/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2028/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2028/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1334/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1334/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1334/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1334/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1334/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1576/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1576/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1576/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1576/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/1576/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2302/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2302/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2302/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2302/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2302/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/3236/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/3236/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/3236/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/3236/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/3236/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2025/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2025/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2025/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2025/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2025/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2146/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2146/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2146/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2146/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2146/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/910/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5259/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5259/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/912/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/912/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/912/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/912/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/912/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/759/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/759/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/759/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/759/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/759/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/517/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2307/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2307/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2307/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2307/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/2307/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/918/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/918/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/918/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/918/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/918/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5151/exe
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5274/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5275/fd
Source: /tmp/IcwrPqGkXP (PID: 5253)	File opened: /proc/5276/fd

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43252
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43256
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43260
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43272
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43268
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43316
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43322
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43342
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43344
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43362
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43374
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37882
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37884
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37890
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37896
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37900
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37908
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37914

Source: /tmp/IcwrPqGkXP (PID: 5250)

Queries kernel information via 'uname':

Source: IcwrPqGkXP, 5250.1.0000000020017d06.000000003f0ad8fa.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: IcwrPqGkXP, 5250.1.0000000020017d06.000000003f0ad8fa.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: IcwrPqGkXP, 5253.1.000000003f0ad8fa.000000001a2aa0c5.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: IcwrPqGkXP, 5250.1.000000008c28e82d.0000000037a278d6.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: IcwrPqGkXP, 5253.1.000000003f0ad8fa.000000001a2aa0c5.rw-.sdmp	Binary or memory string: U!/proc/2146/fd/11mips/pr1/usr/bin/vmtoolsdips/
Source: IcwrPqGkXP, 5250.1.000000008c28e82d.0000000037a278d6.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/IcwrPqGkXPSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IcwrPqGkXP
Source: IcwrPqGkXP, 5253.1.000000003f0ad8fa.000000001a2aa0c5.rw-.sdmp	Binary or memory string: Uu-binfmt/mips/r10!/proc/1627/fd/14!/proc/797/fd/351/proc/1886/fd/48mips/r10!/proc/1627/fd/13!/proc/797/fd/361/proc/2096/fd/3/mips/r10!/proc/1627/fd/12!/proc/797/fd/371/proc/1886/fd/49mips/r10!/proc/1627/fd/10!/proc/797/fd/391/usr/bin/qemu-mipsps/r10!/proc/1627/fd/90!/proc/799/exe1/proc/1886/fd/50mips/r10!/proc/1627/fd/80!/proc/799/fd1/proc/2096/fd/2/mips/r10!/proc/1627/fd/70!/proc/799/fd/.1/proc/1886/fd/51mips/r10!/proc/1627/fd/60!/proc/799/fd/..10

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IcwrPqGkXP	50%	Virustotal		Browse
IcwrPqGkXP	55%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
151.142.57.149	unknown	United States	10967	HOMEDEPOTNETUS	false
186.246.4.65	unknown	Brazil	7738	TelemarNorteLesteSABR	false
136.244.180.180	unknown	United States	3606	CONNCOLL-ASUS	false
114.246.134.99	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
87.99.160.241	unknown	Sweden	12501	NORRNODITSSE	false
220.10.138.154	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
111.98.122.40	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
168.245.234.50	unknown	United States	393706	NELSONCABLEUS	false
191.169.131.225	unknown	Brazil	26615	TIMSABR	false
201.21.20.15	unknown	Brazil	28573	CLAROSABR	false
115.191.0.168	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
182.67.0.254	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
184.254.1.5	unknown	United States	10507	SPCSUS	false
149.12.44.6	unknown	United States	48945	IFNL-ASGB	false
240.193.66.243	unknown	Reserved	unknown	unknown	false
216.221.62.137	unknown	Canada	6280	SYNAPSECA	false
130.250.57.142	unknown	United States	394901	VXCHNGE-TX01US	false
92.210.255.138	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
175.244.101.81	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
109.226.128.16	unknown	Germany	21032	TELTA-ASDE	false
133.120.23.87	unknown	Japan	2522	PPP-EXPJapanNetworkInformationCenterJP	false
148.70.47.116	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
42.203.248.247	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
60.158.0.171	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
151.112.119.144	unknown	United States	32480	LLUMCUS	false
110.111.113.82	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
113.180.223.7	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
61.185.194.127	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
67.206.151.115	unknown	United States	26857	TRUSTCOMM-ASUS	false
158.126.37.100	unknown	Sweden	31756	COLORADOSPRINGS-GOVUS	false
213.146.201.54	unknown	Portugal	5626	ONIInternetServiceProviderPT	false
59.19.24.218	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
155.2.116.79	unknown	United States	2386	INS-ASUS	false
85.45.125.184	unknown	Italy	3269	ASN-IBSNAZIT	false
5.160.167.152	unknown	Iran (ISLAMIC Republic Of)	42337	RESPINA-ASIR	false
31.121.69.183	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
159.7.220.25	unknown	Sweden	1906	NORTHROP-GRUMMANUS	false
83.44.49.14	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
84.247.123.155	unknown	Romania	60509	TELEPERFORMANCE-ASRO	false
216.80.250.213	unknown	United States	7029	WINDSTREAMUS	false
61.111.143.75	unknown	Korea Republic of	4670	HYUNDAI-KRShinbiroKR	false
93.169.65.140	unknown	Saudi Arabia	39891	ALJAWWALSTC-ASSA	false
195.223.249.170	unknown	Italy	3269	ASN-IBSNAZIT	false
8.135.206.253	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
192.244.191.206	unknown	Japan	11363	FUJITSU-USAUS	false
138.236.115.201	unknown	United States	17234	GACUS	false
94.42.249.41	unknown	Poland	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
199.3.5.110	unknown	United States	1239	SPRINTLINKUS	false
149.115.226.181	unknown	United States	174	COGENT-174US	false
96.66.178.36	unknown	United States	7922	COMCAST-7922US	false
195.66.5.176	unknown	Germany	9063	SAARGATE-ASVSENETGmbHDE	false
121.201.230.87	unknown	China	17623	CNCGROUP-SZChinaUnicomShenzennetworkCN	false
188.13.148.235	unknown	Italy	3269	ASN-IBSNAZIT	false
246.179.47.128	unknown	Reserved	unknown	unknown	false
246.9.73.167	unknown	Reserved	unknown	unknown	false
164.113.178.223	unknown	United States	2495	KANRENUS	false
44.26.197.42	unknown	United States	63069	SURELINEUS	false
197.2.84.140	unknown	Tunisia	37705	TOPNETTN	false
78.50.41.178	unknown	Germany	6805	TDDE-ASN1DE	false
38.217.98.240	unknown	United States	174	COGENT-174US	false
115.247.124.243	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
184.11.40.157	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
16.142.65.134	unknown	United States	unknown	unknown	false
204.8.204.13	unknown	Angola	328165	Banco-de-Investimento-RuralAO	false
223.221.104.203	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
45.145.30.173	unknown	Turkey	197328	INETLTDTR	false
82.141.139.16	unknown	Hungary	12301	INVITECHHU	false
219.21.25.139	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
185.70.34.116	unknown	United Kingdom	201353	NSUKGB	false
35.84.199.85	unknown	United States	237	MERIT-AS-14US	false
48.233.101.228	unknown	United States	2686	ATGS-MMD-ASUS	false
175.219.69.250	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
76.145.199.51	unknown	United States	7922	COMCAST-7922US	false
123.73.29.199	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
221.163.247.179	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
183.3.52.187	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
17.109.252.29	unknown	United States	714	APPLE-ENGINEERINGUS	false
99.48.195.62	unknown	United States	7018	ATT-INTERNET4US	false
102.112.147.46	unknown	Mauritius	23889	MauritiusTelecomMU	false
222.43.48.173	unknown	China	45069	CNNIC-CTTSDNET-APchinatietongShandongnetCN	false
117.186.4.82	unknown	China	24400	CMNET-V4SHANGHAI-AS-APShanghaiMobileCommunicationsCoLt	false
96.1.87.79	unknown	Canada	852	ASN852CA	false
157.10.154.106	unknown	unknown	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
247.78.135.221	unknown	Reserved	unknown	unknown	false
71.161.252.154	unknown	United States	701	UUNETUS	false
72.113.124.144	unknown	United States	22394	CELLCOUS	false
115.30.102.59	unknown	Taiwan; Republic of China (ROC)	133747	TRIUMPH-AS-APTRIUMPHDYNASTYLimitedHK	false
121.231.7.49	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
254.5.211.44	unknown	Reserved	unknown	unknown	false
97.250.16.26	unknown	United States	6167	CELLCO-PARTUS	false
85.136.14.63	unknown	Spain	12357	COMUNITELSPAINES	false
211.91.48.146	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
48.171.221.80	unknown	United States	2686	ATGS-MMD-ASUS	false
9.172.67.125	unknown	United States	3356	LEVEL3US	false
255.56.145.124	unknown	Reserved	unknown	unknown	false
203.27.10.136	unknown	China	2764	AAPTAAPTLimitedAU	false
106.34.174.230	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
210.226.36.155	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
32.1.117.241	unknown	United States	2686	ATGS-MMD-ASUS	false
212.249.81.39	unknown	Switzerland	702	UUNETUS	false

Runtime Messages

Command:	/tmp/IcwrPqGkXP
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TelemarNorteLesteSABR	MPnFvIsvJp	Get hash	malicious	Browse	201.19.52.194
	g22kPe2LIc	Get hash	malicious	Browse	186.246.215.95
	cosvgegE1S	Get hash	malicious	Browse	191.2.105.255
	gKCq4VLpjL	Get hash	malicious	Browse	191.45.41.196
	uK570ZEpyQ	Get hash	malicious	Browse	191.214.237.61
	F3br85KuNX	Get hash	malicious	Browse	201.18.7.193
	jviIYCvWBc	Get hash	malicious	Browse	191.42.56.200
	pLpqV3XZ76	Get hash	malicious	Browse	189.105.44.62
	ggtS1fKIqX	Get hash	malicious	Browse	191.0.212.55
	sora.arm	Get hash	malicious	Browse	187.43.203.27
	buiodawbdawbuiopdw.x86	Get hash	malicious	Browse	187.43.170.12
	Kot3UfQMDm	Get hash	malicious	Browse	191.214.114.207
	arm7	Get hash	malicious	Browse	201.58.44.232
	arm7	Get hash	malicious	Browse	191.2.153.111
	JuofJwjQMT	Get hash	malicious	Browse	189.104.65.237
	x86	Get hash	malicious	Browse	189.105.20.47
	Z1JWqe0tZn	Get hash	malicious	Browse	179.67.232.124
	raCyB7pYpd	Get hash	malicious	Browse	152.237.114.166
	il32XbklZm	Get hash	malicious	Browse	201.32.125.192
	7SerHvEAjE	Get hash	malicious	Browse	179.68.219.97
HOMEDEPOTNETUS	il32XbklZm	Get hash	malicious	Browse	151.140.99.116
	8A5Aub0x7r	Get hash	malicious	Browse	151.140.70.186
	h8RVQktJXr	Get hash	malicious	Browse	165.131.82.191
	KG7X7nyxQ4	Get hash	malicious	Browse	165.130.201.189
	b3astmode.arm7	Get hash	malicious	Browse	151.140.99.100
	3DAMhv0DFI	Get hash	malicious	Browse	151.140.52.118
	jFQ6SEAt26	Get hash	malicious	Browse	165.130.6.234
	2YrqtABAvt	Get hash	malicious	Browse	165.131.138.205
	i64RJ7IpMW	Get hash	malicious	Browse	207.11.39.140
	b3astmode.arm7	Get hash	malicious	Browse	151.142.57.178
	l9Ix5r5wGZ	Get hash	malicious	Browse	165.130.248.172
	e5q6xjMRES	Get hash	malicious	Browse	151.140.146.198
	DLGXmh48ND	Get hash	malicious	Browse	151.142.57.102
	bwuBy0kegz	Get hash	malicious	Browse	151.140.128.106
	x86_unpacked	Get hash	malicious	Browse	151.142.57.160
	fil1	Get hash	malicious	Browse	151.142.57.173

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5290/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/proc/5405/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/proc/5407/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:E4v:Ei
MD5:	C1CD8B3D865DA678B4D32DDFFA91B683
SHA1:	DBD80617342B88805FEC6EFEC7A720E751598798
SHA-256:	11D1C64BB9D6C776EF791C61A88BB582C6AD4C816754E5BF48C9327DDBF39BDF
SHA-512:	3B0D361F3DD594CFA593C98E571C58A3D86FB9A1F1E8F8C78F505BE5231C312E63AB5DD724BF3D8DEDE78DF740C5D0BAB5DB0DA1916EAAAB6A4BCA289A56B313
Malicious:	false
Reputation:	low
Preview:	5407.

Static File Info

General
File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.296758508714272
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	IcwrPqGkXP
File size:	71764
MD5:	18fe913ce8856fc1ea6ebc0412e09da7
SHA1:	ff1494dd42dcda452120a9af38a1f5550bd29c55
SHA256:	dea614c4a0a319bb53e0d5d9b77d360e23d79e43e4c7a5179c9c3f6b66c26e74
SHA512:	487221c1701546a05d979979ff75ceaf3600c504da5b6581ea90e627a81b07869442431a4d1b157cb9620c60d92d9d3ddee7d8de37249b7b402bc419eb4da617
SSDEEP:	1536:WkvDSnAd6mYoPdd8TVs1o0vB1tA0iLuYw2+O/82:WkLSA3vGko0pTAmYw2+OE2
File Content Preview:	.ELF.....................@.`...4...L.....4. ...(.............@...@...........................E...E..................dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	71244
Section Header Size:	40
Number of Section Headers:	13
Header String Table Index:	12

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xffe0	0x0	0x6	AX	16
.fini	PROGBITS	0x410100	0x10100	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x410160	0x10160	0x660	0x0	0x2	A	16
.ctors	PROGBITS	0x451000	0x11000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x451008	0x11008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x451020	0x11020	0x190	0x0	0x3	WA	16
.got	PROGBITS	0x4511b0	0x111b0	0x444	0x4	0x10000003	WA	16
.sbss	NOBITS	0x4515f4	0x115f4	0x24	0x0	0x10000003	WA	4
.bss	NOBITS	0x451620	0x115f4	0x2a0	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x72c	0x115f4	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x115f4	0x57	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x107c0	0x107c0	3.3492	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x11000	0x451000	0x451000	0x5f4	0x8c0	1.8117	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2021 09:09:20.965967894 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 22, 2021 09:09:21.455444098 CEST	44200	1312	192.168.2.23	176.126.175.188
Oct 22, 2021 09:09:21.466552973 CEST	62391	23	192.168.2.23	75.91.152.247
Oct 22, 2021 09:09:21.466599941 CEST	62391	23	192.168.2.23	184.237.126.242
Oct 22, 2021 09:09:21.466609955 CEST	62391	23	192.168.2.23	196.95.110.240
Oct 22, 2021 09:09:21.466614962 CEST	62391	23	192.168.2.23	40.172.207.84
Oct 22, 2021 09:09:21.466618061 CEST	62391	23	192.168.2.23	183.218.255.83
Oct 22, 2021 09:09:21.466669083 CEST	62391	23	192.168.2.23	250.210.164.244
Oct 22, 2021 09:09:21.466672897 CEST	62391	23	192.168.2.23	111.242.180.118
Oct 22, 2021 09:09:21.466684103 CEST	62391	23	192.168.2.23	171.59.92.231
Oct 22, 2021 09:09:21.466691017 CEST	62391	23	192.168.2.23	203.25.197.232
Oct 22, 2021 09:09:21.466696978 CEST	62391	23	192.168.2.23	118.2.251.79
Oct 22, 2021 09:09:21.466716051 CEST	62391	23	192.168.2.23	118.68.125.140
Oct 22, 2021 09:09:21.466723919 CEST	62391	23	192.168.2.23	38.74.198.225
Oct 22, 2021 09:09:21.466736078 CEST	62391	23	192.168.2.23	253.114.31.118
Oct 22, 2021 09:09:21.466759920 CEST	62391	23	192.168.2.23	108.211.59.236
Oct 22, 2021 09:09:21.466783047 CEST	62391	23	192.168.2.23	180.15.42.13
Oct 22, 2021 09:09:21.466814041 CEST	62391	23	192.168.2.23	169.50.228.79
Oct 22, 2021 09:09:21.466826916 CEST	62391	23	192.168.2.23	166.73.1.187
Oct 22, 2021 09:09:21.466850996 CEST	62391	23	192.168.2.23	155.111.169.178
Oct 22, 2021 09:09:21.466953039 CEST	62391	23	192.168.2.23	69.40.101.27
Oct 22, 2021 09:09:21.466957092 CEST	62391	23	192.168.2.23	194.3.176.129
Oct 22, 2021 09:09:21.466974974 CEST	62391	23	192.168.2.23	179.22.6.207
Oct 22, 2021 09:09:21.466976881 CEST	62391	23	192.168.2.23	212.177.222.62
Oct 22, 2021 09:09:21.467022896 CEST	62391	23	192.168.2.23	89.209.189.20
Oct 22, 2021 09:09:21.467067003 CEST	62391	23	192.168.2.23	71.68.153.155
Oct 22, 2021 09:09:21.467067003 CEST	62391	23	192.168.2.23	179.190.66.93
Oct 22, 2021 09:09:21.467075109 CEST	62391	23	192.168.2.23	191.62.73.5
Oct 22, 2021 09:09:21.467076063 CEST	62391	23	192.168.2.23	255.10.15.206
Oct 22, 2021 09:09:21.467144012 CEST	62391	23	192.168.2.23	80.40.242.1
Oct 22, 2021 09:09:21.467149019 CEST	62391	23	192.168.2.23	252.19.250.113
Oct 22, 2021 09:09:21.467154026 CEST	62391	23	192.168.2.23	79.158.185.6
Oct 22, 2021 09:09:21.467159986 CEST	62391	23	192.168.2.23	86.152.55.178
Oct 22, 2021 09:09:21.467195988 CEST	62391	23	192.168.2.23	250.76.71.171
Oct 22, 2021 09:09:21.467201948 CEST	62391	23	192.168.2.23	145.187.24.155
Oct 22, 2021 09:09:21.467207909 CEST	62391	23	192.168.2.23	4.31.189.126
Oct 22, 2021 09:09:21.467210054 CEST	62391	23	192.168.2.23	95.9.175.225
Oct 22, 2021 09:09:21.467214108 CEST	62391	23	192.168.2.23	8.138.189.91
Oct 22, 2021 09:09:21.467226028 CEST	62391	23	192.168.2.23	217.216.63.38
Oct 22, 2021 09:09:21.467236996 CEST	62391	23	192.168.2.23	178.1.203.237
Oct 22, 2021 09:09:21.467245102 CEST	62391	23	192.168.2.23	77.69.105.75
Oct 22, 2021 09:09:21.467269897 CEST	62391	23	192.168.2.23	146.188.2.100
Oct 22, 2021 09:09:21.467273951 CEST	62391	23	192.168.2.23	245.105.21.99
Oct 22, 2021 09:09:21.467348099 CEST	62391	23	192.168.2.23	147.125.98.210
Oct 22, 2021 09:09:21.467361927 CEST	62391	23	192.168.2.23	130.32.135.51
Oct 22, 2021 09:09:21.467363119 CEST	62391	23	192.168.2.23	197.87.52.245
Oct 22, 2021 09:09:21.467391014 CEST	62391	23	192.168.2.23	171.15.242.108
Oct 22, 2021 09:09:21.467403889 CEST	62391	23	192.168.2.23	220.110.254.214
Oct 22, 2021 09:09:21.467405081 CEST	62391	23	192.168.2.23	133.158.120.223
Oct 22, 2021 09:09:21.467426062 CEST	62391	23	192.168.2.23	133.197.139.22
Oct 22, 2021 09:09:21.467427015 CEST	62391	23	192.168.2.23	119.230.119.116
Oct 22, 2021 09:09:21.467428923 CEST	62391	23	192.168.2.23	141.12.150.118
Oct 22, 2021 09:09:21.467449903 CEST	62391	23	192.168.2.23	176.117.57.57
Oct 22, 2021 09:09:21.467478037 CEST	62391	23	192.168.2.23	151.105.216.116
Oct 22, 2021 09:09:21.467489004 CEST	62391	23	192.168.2.23	125.128.148.184
Oct 22, 2021 09:09:21.467495918 CEST	62391	23	192.168.2.23	203.12.234.212
Oct 22, 2021 09:09:21.467509031 CEST	62391	23	192.168.2.23	205.129.13.21
Oct 22, 2021 09:09:21.467516899 CEST	62391	23	192.168.2.23	148.30.241.151
Oct 22, 2021 09:09:21.467525005 CEST	62391	23	192.168.2.23	217.31.98.122
Oct 22, 2021 09:09:21.467530966 CEST	62391	23	192.168.2.23	38.162.60.184
Oct 22, 2021 09:09:21.467534065 CEST	62391	23	192.168.2.23	93.147.9.212
Oct 22, 2021 09:09:21.467540026 CEST	62391	23	192.168.2.23	47.143.80.114
Oct 22, 2021 09:09:21.467550039 CEST	62391	23	192.168.2.23	184.26.253.181
Oct 22, 2021 09:09:21.467556953 CEST	62391	23	192.168.2.23	122.206.46.181
Oct 22, 2021 09:09:21.467566013 CEST	62391	23	192.168.2.23	4.38.148.189
Oct 22, 2021 09:09:21.467590094 CEST	62391	23	192.168.2.23	248.132.18.249
Oct 22, 2021 09:09:21.467600107 CEST	62391	23	192.168.2.23	194.8.42.200
Oct 22, 2021 09:09:21.467638969 CEST	62391	23	192.168.2.23	91.40.204.126
Oct 22, 2021 09:09:21.467641115 CEST	62391	23	192.168.2.23	187.246.203.208
Oct 22, 2021 09:09:21.467674971 CEST	62391	23	192.168.2.23	165.198.68.235
Oct 22, 2021 09:09:21.467772007 CEST	62391	23	192.168.2.23	13.158.85.12
Oct 22, 2021 09:09:21.467799902 CEST	62391	23	192.168.2.23	190.2.58.243
Oct 22, 2021 09:09:21.467828035 CEST	62391	23	192.168.2.23	172.113.205.5
Oct 22, 2021 09:09:21.467840910 CEST	62391	23	192.168.2.23	142.67.39.229
Oct 22, 2021 09:09:21.467844963 CEST	62391	23	192.168.2.23	8.99.167.98
Oct 22, 2021 09:09:21.467854023 CEST	62391	23	192.168.2.23	113.96.40.208
Oct 22, 2021 09:09:21.467869997 CEST	62391	23	192.168.2.23	149.217.202.149
Oct 22, 2021 09:09:21.467881918 CEST	62391	23	192.168.2.23	177.123.203.137
Oct 22, 2021 09:09:21.467892885 CEST	62391	23	192.168.2.23	38.80.109.228
Oct 22, 2021 09:09:21.467892885 CEST	62391	23	192.168.2.23	92.44.51.89
Oct 22, 2021 09:09:21.467894077 CEST	62391	23	192.168.2.23	108.134.134.177
Oct 22, 2021 09:09:21.467930079 CEST	62391	23	192.168.2.23	198.22.75.172
Oct 22, 2021 09:09:21.467956066 CEST	62391	23	192.168.2.23	199.60.6.54
Oct 22, 2021 09:09:21.467962980 CEST	62391	23	192.168.2.23	109.217.132.49
Oct 22, 2021 09:09:21.467988014 CEST	62391	23	192.168.2.23	216.200.67.125
Oct 22, 2021 09:09:21.467994928 CEST	62391	23	192.168.2.23	124.133.234.199
Oct 22, 2021 09:09:21.468002081 CEST	62391	23	192.168.2.23	196.102.105.255
Oct 22, 2021 09:09:21.468014002 CEST	62391	23	192.168.2.23	197.164.199.47
Oct 22, 2021 09:09:21.468027115 CEST	62391	23	192.168.2.23	91.208.101.239
Oct 22, 2021 09:09:21.468034029 CEST	62391	23	192.168.2.23	200.214.173.33
Oct 22, 2021 09:09:21.468041897 CEST	62391	23	192.168.2.23	197.131.149.222
Oct 22, 2021 09:09:21.468054056 CEST	62391	23	192.168.2.23	118.190.74.223
Oct 22, 2021 09:09:21.468060017 CEST	62391	23	192.168.2.23	13.144.114.70
Oct 22, 2021 09:09:21.468099117 CEST	62391	23	192.168.2.23	207.167.236.253
Oct 22, 2021 09:09:21.468115091 CEST	62391	23	192.168.2.23	209.6.34.185
Oct 22, 2021 09:09:21.468122005 CEST	62391	23	192.168.2.23	89.183.10.81
Oct 22, 2021 09:09:21.468127966 CEST	62391	23	192.168.2.23	191.0.222.90
Oct 22, 2021 09:09:21.468152046 CEST	62391	23	192.168.2.23	117.120.132.63
Oct 22, 2021 09:09:21.468164921 CEST	62391	23	192.168.2.23	175.229.93.122
Oct 22, 2021 09:09:21.468199015 CEST	62391	23	192.168.2.23	66.72.145.251

System Behavior

Analysis Process: IcwrPqGkXP PID: 5250 Parent PID: 5121

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	/tmp/IcwrPqGkXP
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: IcwrPqGkXP PID: 5253 Parent PID: 5250

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: IcwrPqGkXP PID: 5254 Parent PID: 5250

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: IcwrPqGkXP PID: 5255 Parent PID: 5250

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: IcwrPqGkXP PID: 5259 Parent PID: 5255

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: IcwrPqGkXP PID: 5261 Parent PID: 5255

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: IcwrPqGkXP PID: 5263 Parent PID: 5255

General

Start time:	09:09:20
Start date:	22/10/2021
Path:	/tmp/IcwrPqGkXP
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: systemd PID: 5287 Parent PID: 1

General

Start time:	09:09:33
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5287 Parent PID: 1

General

Start time:	09:09:33
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5290 Parent PID: 1

General

Start time:	09:09:34
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5290 Parent PID: 1

General

Start time:	09:09:34
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5404 Parent PID: 1

General

Start time:	09:12:19
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5404 Parent PID: 1

General

Start time:	09:12:19
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5405 Parent PID: 1

General

Start time:	09:12:19
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5405 Parent PID: 1

General

Start time:	09:12:19
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5406 Parent PID: 1

General

Start time:	09:12:21
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5406 Parent PID: 1

General

Start time:	09:12:21
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5407 Parent PID: 1

General

Start time:	09:12:21
Start date:	22/10/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5407 Parent PID: 1

General

Start time:	09:12:21
Start date:	22/10/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report IcwrPqGkXP

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: IcwrPqGkXP PID: 5250 Parent PID: 5121

General

Analysis Process: IcwrPqGkXP PID: 5253 Parent PID: 5250

General

Analysis Process: IcwrPqGkXP PID: 5254 Parent PID: 5250

General

Analysis Process: IcwrPqGkXP PID: 5255 Parent PID: 5250

General

Analysis Process: IcwrPqGkXP PID: 5259 Parent PID: 5255

General

Analysis Process: IcwrPqGkXP PID: 5261 Parent PID: 5255

General

Analysis Process: IcwrPqGkXP PID: 5263 Parent PID: 5255

General

Analysis Process: systemd PID: 5287 Parent PID: 1

General

Analysis Process: sshd PID: 5287 Parent PID: 1

General

Analysis Process: systemd PID: 5290 Parent PID: 1

General

Analysis Process: sshd PID: 5290 Parent PID: 1