Linux Analysis Report 1Zn1o0ho0d

Overview

General Information

Sample Name:	1Zn1o0ho0d
Analysis ID:	517072
MD5:	7cd969c5a935efb39614b9e088682e2d
SHA1:	142387e6dddad723345106a8a2d4bbc96527387c
SHA256:	e46d2e7b074443218de80066a68ae9e146f8d8fdd22b624f619d7f486e4036b8
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Yara signature match

Deletes log files

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 1Zn1o0ho0d	Virustotal: Detection: 44%			Perma Link
Source: 1Zn1o0ho0d	ReversingLabs: Detection: 42%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:35958
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:35958
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36596
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 188.150.3.143: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36614
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36632
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36652
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36668
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36062
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36062
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36682
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36708
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36742
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36164
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36164
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36142
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42378
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42388
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42392
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36214
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36214
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42400
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42406
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42410
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:52632
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42422
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42434
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42452
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42458
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36276
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36276
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40236
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36266
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40256
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40274
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36340
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36340
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40280
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40286
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40312
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43416
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40324
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:52778
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40330
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43444
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36394
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36394
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40344
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40356
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43452
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43472
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43478
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43484
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36396
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43492
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36446
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36446
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43512
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43520
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.205.167.95:23 -> 192.168.2.23:46894
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37298
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43142
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43142
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:52936
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.228.16.21:23 -> 192.168.2.23:33976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.228.16.21:23 -> 192.168.2.23:33976
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37298
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43154
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43154
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37322
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43166
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37322
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43184
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.108.66.54:23 -> 192.168.2.23:59728
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56786
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36556
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56838
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37374
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37374
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56852
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37414
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37414
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56888
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56904
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37448
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56930
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56942
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37448
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56950
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:53122
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53514
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53514
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56964
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 98.11.20.73: -> 192.168.2.23:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.169.69.75:23 -> 192.168.2.23:44530
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.169.69.75:23 -> 192.168.2.23:44530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.228.16.21:23 -> 192.168.2.23:34190
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.228.16.21:23 -> 192.168.2.23:34190
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36726
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37552
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53570
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53570
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37552
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37598
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:41814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.247.229.197:23 -> 192.168.2.23:35102
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.247.229.197:23 -> 192.168.2.23:35102
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37598
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:41880
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37718
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.70.244.145:23 -> 192.168.2.23:44124
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51398
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53684
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.244.252.47:23 -> 192.168.2.23:59778
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:41994
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37718
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:53442
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.244.252.47:23 -> 192.168.2.23:59778
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.20.239.131:23 -> 192.168.2.23:41100
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.21.164.54:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.21.164.54:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.63.24.62:23 -> 192.168.2.23:49516
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:42092
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.244.252.47:23 -> 192.168.2.23:59928
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51612
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:37168
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 42.63.24.62:23 -> 192.168.2.23:49516
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 42.63.24.62:23 -> 192.168.2.23:49516
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.244.252.47:23 -> 192.168.2.23:59928
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:42174
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.169.69.75:23 -> 192.168.2.23:45012
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.169.69.75:23 -> 192.168.2.23:45012
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51694
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:54006
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:54006
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.73.246:23 -> 192.168.2.23:52194
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.73.246:23 -> 192.168.2.23:52194
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.244.252.47:23 -> 192.168.2.23:60074
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:42282
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.228.16.21:23 -> 192.168.2.23:34734
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.228.16.21:23 -> 192.168.2.23:34734
Source: Traffic	Snort IDS: 716 INFO TELNET access 78.30.39.60:23 -> 192.168.2.23:38986
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.155.150.155:23 -> 192.168.2.23:38542
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51820
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.244.252.47:23 -> 192.168.2.23:60074
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.178.234.29:23 -> 192.168.2.23:56028

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35930
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35932
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35934
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35964

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:53546 -> 45.61.184.103:1312

Sample listens on a socket

Source: /tmp/1Zn1o0ho0d (PID: 5329)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/sbin/sshd (PID: 5363)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5363)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.184.103
Source: unknown	TCP traffic detected without corresponding DNS query: 19.144.151.212
Source: unknown	TCP traffic detected without corresponding DNS query: 1.156.101.49
Source: unknown	TCP traffic detected without corresponding DNS query: 40.147.72.91
Source: unknown	TCP traffic detected without corresponding DNS query: 209.203.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 82.184.240.109
Source: unknown	TCP traffic detected without corresponding DNS query: 112.213.151.155
Source: unknown	TCP traffic detected without corresponding DNS query: 94.224.236.78
Source: unknown	TCP traffic detected without corresponding DNS query: 146.253.39.205
Source: unknown	TCP traffic detected without corresponding DNS query: 158.74.71.229
Source: unknown	TCP traffic detected without corresponding DNS query: 38.236.176.204
Source: unknown	TCP traffic detected without corresponding DNS query: 195.19.16.11
Source: unknown	TCP traffic detected without corresponding DNS query: 89.216.24.175
Source: unknown	TCP traffic detected without corresponding DNS query: 242.195.215.219
Source: unknown	TCP traffic detected without corresponding DNS query: 172.168.60.98
Source: unknown	TCP traffic detected without corresponding DNS query: 89.11.92.97
Source: unknown	TCP traffic detected without corresponding DNS query: 36.62.213.26
Source: unknown	TCP traffic detected without corresponding DNS query: 213.158.52.104
Source: unknown	TCP traffic detected without corresponding DNS query: 170.64.194.116
Source: unknown	TCP traffic detected without corresponding DNS query: 84.174.175.114
Source: unknown	TCP traffic detected without corresponding DNS query: 146.147.140.118
Source: unknown	TCP traffic detected without corresponding DNS query: 113.201.32.205
Source: unknown	TCP traffic detected without corresponding DNS query: 171.204.159.164
Source: unknown	TCP traffic detected without corresponding DNS query: 158.142.241.45
Source: unknown	TCP traffic detected without corresponding DNS query: 58.159.20.247
Source: unknown	TCP traffic detected without corresponding DNS query: 250.177.247.139
Source: unknown	TCP traffic detected without corresponding DNS query: 221.108.158.190
Source: unknown	TCP traffic detected without corresponding DNS query: 84.14.81.112
Source: unknown	TCP traffic detected without corresponding DNS query: 76.216.50.56
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.46.90
Source: unknown	TCP traffic detected without corresponding DNS query: 178.211.126.126
Source: unknown	TCP traffic detected without corresponding DNS query: 62.8.172.188
Source: unknown	TCP traffic detected without corresponding DNS query: 53.126.99.214
Source: unknown	TCP traffic detected without corresponding DNS query: 165.140.65.130
Source: unknown	TCP traffic detected without corresponding DNS query: 223.215.75.244
Source: unknown	TCP traffic detected without corresponding DNS query: 221.42.145.178
Source: unknown	TCP traffic detected without corresponding DNS query: 194.26.94.41
Source: unknown	TCP traffic detected without corresponding DNS query: 37.138.101.243
Source: unknown	TCP traffic detected without corresponding DNS query: 72.98.96.27
Source: unknown	TCP traffic detected without corresponding DNS query: 218.203.211.166
Source: unknown	TCP traffic detected without corresponding DNS query: 243.247.240.222
Source: unknown	TCP traffic detected without corresponding DNS query: 153.114.232.183
Source: unknown	TCP traffic detected without corresponding DNS query: 39.228.186.44
Source: unknown	TCP traffic detected without corresponding DNS query: 223.90.174.102
Source: unknown	TCP traffic detected without corresponding DNS query: 248.159.48.135
Source: unknown	TCP traffic detected without corresponding DNS query: 136.58.3.105
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.50.185
Source: unknown	TCP traffic detected without corresponding DNS query: 120.112.118.222
Source: unknown	TCP traffic detected without corresponding DNS query: 75.116.81.194

Source: 1Zn1o0ho0d

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 1Zn1o0ho0d, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Sample tries to kill a process (SIGKILL)

Source: /tmp/1Zn1o0ho0d (PID: 5335)

SIGKILL sent: pid: 936, result: successful

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.lin@0/57@0/0

Source: 1Zn1o0ho0d

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2156/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1629/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1627/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1900/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5200/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5201/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2294/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2050/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1877/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1633/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1599/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1632/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1477/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1476/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1872/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2048/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1475/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2289/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5038/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1639/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/4503/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1638/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2208/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2180/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5331/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1809/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1494/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1890/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2063/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2062/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1888/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1886/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1489/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1642/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5329/fd	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/sbin/logrotate (PID: 5296)	Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5307)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5312)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/mail.info/var/log/mail.warn/var/log/mail.err/var/log/mail.log/var/log/daemon.log/var/log/kern.log/var/log/auth.log/var/log/user.log/var/log/lpr.log/var/log/cron.log/var/log/debug/var/log/messages	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35930
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35932
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35934
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35964

Malware Analysis System Evasion:

Deletes log files

Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/cups/access_log.1	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/syslog.1	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/kern.log.1	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/auth.log.1	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /usr/bin/find (PID: 5294)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5327)	Queries kernel information via 'uname':			Jump to behavior

Source: 5300.20.dr	Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5300.20.dr	Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5300.20.dr	Binary or memory string: qemu-or1k
Source: 5300.20.dr	Binary or memory string: qemu-riscv64
Source: 5300.20.dr	Binary or memory string: {cqemu
Source: 5300.20.dr	Binary or memory string: qemu-arm
Source: 5300.20.dr	Binary or memory string: (qemu
Source: 5300.20.dr	Binary or memory string: qemu-tilegx
Source: 5300.20.dr	Binary or memory string: qemu-hppa
Source: 5300.20.dr	Binary or memory string: q{rqemu%
Source: 5300.20.dr	Binary or memory string: )qemu
Source: 5300.20.dr	Binary or memory string: vmware-toolbox-cmd
Source: 5300.20.dr	Binary or memory string: qemu-ppc
Source: 5300.20.dr	Binary or memory string: Tqemu9
Source: 1Zn1o0ho0d, 5327.1.000000007c8b21e6.000000009461895e.rw-.sdmp	Binary or memory string: m}U!/etc/qemu-binfmt/arm
Source: 5300.20.dr	Binary or memory string: qemu-aarch64_be
Source: 5300.20.dr	Binary or memory string: 0qemu9
Source: 5300.20.dr	Binary or memory string: qemu-sparc64
Source: 5300.20.dr	Binary or memory string: qemu-mips64
Source: 5300.20.dr	Binary or memory string: vV:qemu9
Source: 5300.20.dr	Binary or memory string: qemu-ppc64le
Source: 5300.20.dr	Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5300.20.dr	Binary or memory string: vmware
Source: 5300.20.dr	Binary or memory string: qemu-cris
Source: 5300.20.dr	Binary or memory string: libvmtools
Source: 5300.20.dr	Binary or memory string: qemu-m68k
Source: 5300.20.dr	Binary or memory string: qemu-xtensa
Source: 5300.20.dr	Binary or memory string: 9qemu
Source: 5300.20.dr	Binary or memory string: qemu-sh4
Source: 5300.20.dr	Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: 1Zn1o0ho0d, 5327.1.000000007c8b21e6.000000009461895e.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 5300.20.dr	Binary or memory string: .qemu{
Source: 5300.20.dr	Binary or memory string: qemu-ppc64abi32
Source: 5300.20.dr	Binary or memory string: qemu-ppc64
Source: 5300.20.dr	Binary or memory string: qemu-i386
Source: 5300.20.dr	Binary or memory string: qemu-x86_64
Source: 5300.20.dr	Binary or memory string: H~6\nqemu*q
Source: 5300.20.dr	Binary or memory string: @qemu
Source: 5300.20.dr	Binary or memory string: Fqqemu
Source: 5300.20.dr	Binary or memory string: N4qemu
Source: 5300.20.dr	Binary or memory string: ~6\nqemu*q
Source: 5300.20.dr	Binary or memory string: qemu-mips64el
Source: 5300.20.dr	Binary or memory string: hqemu
Source: 5300.20.dr	Binary or memory string: &mqemu
Source: 5300.20.dr	Binary or memory string: $qemu
Source: 5300.20.dr	Binary or memory string: qemu-sparc
Source: 5300.20.dr	Binary or memory string: qemu-microblaze
Source: 5300.20.dr	Binary or memory string: qemu-user
Source: 5300.20.dr	Binary or memory string: qemu-aarch64
Source: 5300.20.dr	Binary or memory string: qemu-sh4eb
Source: 5300.20.dr	Binary or memory string: iqemu
Source: 5300.20.dr	Binary or memory string: qemu-mipsel
Source: 5300.20.dr	Binary or memory string: qemuP`
Source: 5300.20.dr	Binary or memory string: qemu-alpha
Source: 1Zn1o0ho0d, 5327.1.000000009573088f.00000000c9a6208a.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/1Zn1o0ho0dSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/1Zn1o0ho0d
Source: 5300.20.dr	Binary or memory string: qemu-microblazeel
Source: 5300.20.dr	Binary or memory string: \qemu
Source: 5300.20.dr	Binary or memory string: qemu-xtensaeb
Source: 5300.20.dr	Binary or memory string: qemu-mipsn32el
Source: 5300.20.dr	Binary or memory string: SAqemu
Source: 5300.20.dr	Binary or memory string: Vqemu
Source: 5300.20.dr	Binary or memory string: qemu-mipsn32
Source: 5300.20.dr	Binary or memory string: qemuAU
Source: 5300.20.dr	Binary or memory string: qemu-riscv32
Source: 5300.20.dr	Binary or memory string: qemu-sparc32plus
Source: 5300.20.dr	Binary or memory string: 7,qemu
Source: 5300.20.dr	Binary or memory string: qemu-s390x
Source: 5300.20.dr	Binary or memory string: vmware-checkvm
Source: 5300.20.dr	Binary or memory string: qemu-nios2
Source: 5300.20.dr	Binary or memory string: qemu-armeb
Source: 5300.20.dr	Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5300.20.dr	Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5300.20.dr	Binary or memory string: I_qemu
Source: 1Zn1o0ho0d, 5327.1.000000009573088f.00000000c9a6208a.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 5300.20.dr	Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5300.20.dr	Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5300.20.dr	Binary or memory string: qemu-mips
Source: 5300.20.dr	Binary or memory string: qemuj\
Source: 5300.20.dr	Binary or memory string: {qemuQ&
Source: 5300.20.dr	Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5300.20.dr	Binary or memory string: vmware-xferlogs

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
94.247.246.94	unknown	Russian Federation	48532	TELEPORTSPB-ASRU	false
168.253.102.103	unknown	Algeria	33779	wataniya-telecom-asDZ	false
212.94.221.136	unknown	France	12409	HRNETFR	false
72.138.89.75	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
177.92.82.91	unknown	Brazil	17222	MundivoxLTDABR	false
221.212.237.252	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
38.83.177.168	unknown	United States	17216	DC74-ASUS	false
220.195.246.208	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
253.4.39.192	unknown	Reserved	unknown	unknown	false
142.109.39.21	unknown	Canada	53403	MOUNT-ROYAL-COLLEGECA	false
136.109.129.19	unknown	United States	60311	ONEFMCH	false
76.171.25.152	unknown	United States	20001	TWC-20001-PACWESTUS	false
46.199.139.244	unknown	Cyprus	6866	CYTA-NETWORKInternetServicesCY	false
146.42.159.67	unknown	United States	197938	TRAVIANGAMESDE	false
116.173.158.81	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
5.26.78.224	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
86.169.197.189	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
175.122.183.152	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
40.232.231.63	unknown	United States	4249	LILLY-ASUS	false
158.108.239.176	unknown	Thailand	9411	NONTRINET-AS-APKasetsartUniversityThailandTH	false
92.100.125.8	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
111.21.149.85	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
62.164.74.103	unknown	European Union	3215	FranceTelecom-OrangeFR	false
96.214.8.34	unknown	United States	7922	COMCAST-7922US	false
35.75.148.43	unknown	United States	16509	AMAZON-02US	false
150.28.106.27	unknown	Japan	6400	CompaniaDominicanadeTelefonosSADO	false
188.171.85.0	unknown	Spain	12946	TELECABLESpainES	false
195.223.249.189	unknown	Italy	3269	ASN-IBSNAZIT	false
122.228.142.227	unknown	China	134771	CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince	false
151.66.131.65	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
69.111.100.175	unknown	United States	7018	ATT-INTERNET4US	false
48.127.151.199	unknown	United States	2686	ATGS-MMD-ASUS	false
183.219.95.180	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
175.151.3.87	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
106.97.89.34	unknown	Korea Republic of	17853	LGTELECOM-AS-KRLGTELECOMKR	false
177.70.86.139	unknown	Brazil	28241	ViaceuInternetLtdaBR	false
122.141.255.36	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
19.61.63.9	unknown	United States	3	MIT-GATEWAYSUS	false
20.231.37.46	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
103.55.103.150	unknown	India	134287	ODITEL-ASHBSTELESOFTPRIVATELIMITEDIN	false
108.187.209.126	unknown	United States	395954	LEASEWEB-USA-LAX-11US	false
81.145.172.180	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
200.104.46.31	unknown	Chile	22047	VTRBANDAANCHASACL	false
199.13.187.26	unknown	United States	1767	ILIGHT-NETUS	false
125.50.51.101	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
154.10.23.54	unknown	Korea Republic of	9578	CJNET-ASCheiljedangCoIncKR	false
188.159.83.226	unknown	Iran (ISLAMIC Republic Of)	39501	NGSASIR	false
196.203.212.60	unknown	Tunisia	37705	TOPNETTN	false
164.117.114.31	unknown	United States	10430	WA-K20US	false
245.233.137.58	unknown	Reserved	unknown	unknown	false
89.145.6.247	unknown	Germany	21032	TELTA-ASDE	false
152.223.4.199	unknown	United States	30313	IRSUS	false
208.40.58.167	unknown	United States	2707	FIRSTCOMM-AS1US	false
251.120.49.47	unknown	Reserved	unknown	unknown	false
58.50.6.252	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
98.24.112.29	unknown	United States	11426	TWC-11426-CAROLINASUS	false
23.185.187.111	unknown	Reserved	395852	MAYAVIRTUALUS	false
95.120.78.137	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
27.12.165.27	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
108.224.250.142	unknown	United States	7018	ATT-INTERNET4US	false
167.245.159.43	unknown	United States	13325	STOMIUS	false
140.225.117.210	unknown	United States	14763	STKATEUS	false
70.3.61.223	unknown	United States	10507	SPCSUS	false
184.41.110.35	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
200.13.169.205	unknown	El Salvador	27773	MILLICOMCABLEELSALVADORSADECVSV	false
186.162.200.254	unknown	Peru	21575	ENTELPERUSAPE	false
83.58.127.193	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
88.53.189.43	unknown	Italy	3269	ASN-IBSNAZIT	false
20.113.107.40	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
133.4.126.109	unknown	Japan	55384	JAIST-EXPJapanAdvancedInstituteofScienceandTechnology	false
5.54.192.234	unknown	Greece	3329	HOL-GRAthensGreeceGR	false
60.118.169.158	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
1.33.224.54	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
74.83.24.194	unknown	United States	6181	FUSE-NETUS	false
61.131.79.82	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
73.161.162.133	unknown	United States	7922	COMCAST-7922US	false
91.183.209.23	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
125.129.154.21	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
68.77.71.187	unknown	United States	7018	ATT-INTERNET4US	false
176.18.0.199	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
39.156.253.132	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
48.87.182.58	unknown	United States	2686	ATGS-MMD-ASUS	false
201.215.141.120	unknown	Chile	22047	VTRBANDAANCHASACL	false
139.176.251.99	unknown	China	8968	BT-ITALIAIT	false
190.231.134.219	unknown	Argentina	7303	TelecomArgentinaSAAR	false
74.109.162.7	unknown	United States	701	UUNETUS	false
41.85.112.180	unknown	South Africa	328418	Olena-Trading-ASZA	false
123.25.106.121	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
156.56.100.67	unknown	United States	87	INDIANA-ASUS	false
176.110.67.119	unknown	Russian Federation	49483	SKATISPRU	false
92.125.247.228	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
244.205.158.22	unknown	Reserved	unknown	unknown	false
148.105.157.149	unknown	United States	14782	THEROCKETSCIENCEGROUPUS	false
71.66.122.189	unknown	United States	10796	TWC-10796-MIDWESTUS	false
87.188.233.62	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
34.223.35.232	unknown	United States	16509	AMAZON-02US	false
205.228.212.51	unknown	United States	5049	MORGAN-ASNUS	false
75.46.199.141	unknown	United States	7018	ATT-INTERNET4US	false
83.97.138.69	unknown	Spain	12946	TELECABLESpainES	false
122.59.198.123	unknown	New Zealand	4771	SPARKNZSparkNewZealandTradingLtdNZ	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: 1Zn1o0ho0d	Virustotal: Detection: 44%			Perma Link
Source: 1Zn1o0ho0d	ReversingLabs: Detection: 42%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:35958
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:35958
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36596
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 188.150.3.143: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36614
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36632
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36652
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36668
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36062
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36062
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36682
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36708
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36742
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.60.252:23 -> 192.168.2.23:36754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36164
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36164
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36142
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42378
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42388
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42392
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36214
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36214
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42400
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42406
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42410
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:52632
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42422
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42434
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42452
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.74.111.43:23 -> 192.168.2.23:42458
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36276
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36276
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40236
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36266
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40256
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40274
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36340
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36340
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40280
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40286
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40312
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43416
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40324
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:52778
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40330
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43444
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36394
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36394
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40344
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.210.16.54:23 -> 192.168.2.23:40356
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43452
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43472
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43478
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43484
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36396
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43492
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36446
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36446
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43512
Source: Traffic	Snort IDS: 716 INFO TELNET access 221.206.242.157:23 -> 192.168.2.23:43520
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.205.167.95:23 -> 192.168.2.23:46894
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37298
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43142
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43142
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:52936
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.228.16.21:23 -> 192.168.2.23:33976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.228.16.21:23 -> 192.168.2.23:33976
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37298
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43154
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43154
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37322
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43166
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37322
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.224.203:23 -> 192.168.2.23:43184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.224.203:23 -> 192.168.2.23:43184
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.108.66.54:23 -> 192.168.2.23:59728
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56786
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36556
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56838
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37374
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37374
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56852
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37414
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37414
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56888
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56904
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37448
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.12.94.81:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.12.94.81:23 -> 192.168.2.23:36678
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56930
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56942
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37448
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56950
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:53122
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53514
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53514
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.140.245.150:23 -> 192.168.2.23:56964
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 98.11.20.73: -> 192.168.2.23:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.169.69.75:23 -> 192.168.2.23:44530
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.169.69.75:23 -> 192.168.2.23:44530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.228.16.21:23 -> 192.168.2.23:34190
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.228.16.21:23 -> 192.168.2.23:34190
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:36726
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37552
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53570
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53570
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37552
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37598
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:41814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.247.229.197:23 -> 192.168.2.23:35102
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.247.229.197:23 -> 192.168.2.23:35102
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37598
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:41880
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.151.249.211:23 -> 192.168.2.23:37718
Source: Traffic	Snort IDS: 716 INFO TELNET access 81.70.244.145:23 -> 192.168.2.23:44124
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51398
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:53684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:53684
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.244.252.47:23 -> 192.168.2.23:59778
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:41994
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.151.249.211:23 -> 192.168.2.23:37718
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.7.155.6:23 -> 192.168.2.23:53442
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.244.252.47:23 -> 192.168.2.23:59778
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.20.239.131:23 -> 192.168.2.23:41100
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.21.164.54:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.21.164.54:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.63.24.62:23 -> 192.168.2.23:49516
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:42092
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.244.252.47:23 -> 192.168.2.23:59928
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51612
Source: Traffic	Snort IDS: 716 INFO TELNET access 58.26.108.34:23 -> 192.168.2.23:37168
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 42.63.24.62:23 -> 192.168.2.23:49516
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 42.63.24.62:23 -> 192.168.2.23:49516
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.244.252.47:23 -> 192.168.2.23:59928
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:42174
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.169.69.75:23 -> 192.168.2.23:45012
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.169.69.75:23 -> 192.168.2.23:45012
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51694
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.163.235.60:23 -> 192.168.2.23:54006
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.163.235.60:23 -> 192.168.2.23:54006
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.73.246:23 -> 192.168.2.23:52194
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.73.246:23 -> 192.168.2.23:52194
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.244.252.47:23 -> 192.168.2.23:60074
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.173.171:23 -> 192.168.2.23:42282
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 45.228.16.21:23 -> 192.168.2.23:34734
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 45.228.16.21:23 -> 192.168.2.23:34734
Source: Traffic	Snort IDS: 716 INFO TELNET access 78.30.39.60:23 -> 192.168.2.23:38986
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.155.150.155:23 -> 192.168.2.23:38542
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.151.190.73:23 -> 192.168.2.23:51820
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.244.252.47:23 -> 192.168.2.23:60074
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.178.234.29:23 -> 192.168.2.23:56028

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35930
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35932
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35934
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35964

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:53546 -> 45.61.184.103:1312

Sample listens on a socket

Source: /tmp/1Zn1o0ho0d (PID: 5329)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	Socket: 0.0.0.0::0	Jump to behavior
Source: /usr/sbin/sshd (PID: 5363)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5363)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 45.61.184.103
Source: unknown	TCP traffic detected without corresponding DNS query: 19.144.151.212
Source: unknown	TCP traffic detected without corresponding DNS query: 1.156.101.49
Source: unknown	TCP traffic detected without corresponding DNS query: 40.147.72.91
Source: unknown	TCP traffic detected without corresponding DNS query: 209.203.206.212
Source: unknown	TCP traffic detected without corresponding DNS query: 82.184.240.109
Source: unknown	TCP traffic detected without corresponding DNS query: 112.213.151.155
Source: unknown	TCP traffic detected without corresponding DNS query: 94.224.236.78
Source: unknown	TCP traffic detected without corresponding DNS query: 146.253.39.205
Source: unknown	TCP traffic detected without corresponding DNS query: 158.74.71.229
Source: unknown	TCP traffic detected without corresponding DNS query: 38.236.176.204
Source: unknown	TCP traffic detected without corresponding DNS query: 195.19.16.11
Source: unknown	TCP traffic detected without corresponding DNS query: 89.216.24.175
Source: unknown	TCP traffic detected without corresponding DNS query: 242.195.215.219
Source: unknown	TCP traffic detected without corresponding DNS query: 172.168.60.98
Source: unknown	TCP traffic detected without corresponding DNS query: 89.11.92.97
Source: unknown	TCP traffic detected without corresponding DNS query: 36.62.213.26
Source: unknown	TCP traffic detected without corresponding DNS query: 213.158.52.104
Source: unknown	TCP traffic detected without corresponding DNS query: 170.64.194.116
Source: unknown	TCP traffic detected without corresponding DNS query: 84.174.175.114
Source: unknown	TCP traffic detected without corresponding DNS query: 146.147.140.118
Source: unknown	TCP traffic detected without corresponding DNS query: 113.201.32.205
Source: unknown	TCP traffic detected without corresponding DNS query: 171.204.159.164
Source: unknown	TCP traffic detected without corresponding DNS query: 158.142.241.45
Source: unknown	TCP traffic detected without corresponding DNS query: 58.159.20.247
Source: unknown	TCP traffic detected without corresponding DNS query: 250.177.247.139
Source: unknown	TCP traffic detected without corresponding DNS query: 221.108.158.190
Source: unknown	TCP traffic detected without corresponding DNS query: 84.14.81.112
Source: unknown	TCP traffic detected without corresponding DNS query: 76.216.50.56
Source: unknown	TCP traffic detected without corresponding DNS query: 185.27.46.90
Source: unknown	TCP traffic detected without corresponding DNS query: 178.211.126.126
Source: unknown	TCP traffic detected without corresponding DNS query: 62.8.172.188
Source: unknown	TCP traffic detected without corresponding DNS query: 53.126.99.214
Source: unknown	TCP traffic detected without corresponding DNS query: 165.140.65.130
Source: unknown	TCP traffic detected without corresponding DNS query: 223.215.75.244
Source: unknown	TCP traffic detected without corresponding DNS query: 221.42.145.178
Source: unknown	TCP traffic detected without corresponding DNS query: 194.26.94.41
Source: unknown	TCP traffic detected without corresponding DNS query: 37.138.101.243
Source: unknown	TCP traffic detected without corresponding DNS query: 72.98.96.27
Source: unknown	TCP traffic detected without corresponding DNS query: 218.203.211.166
Source: unknown	TCP traffic detected without corresponding DNS query: 243.247.240.222
Source: unknown	TCP traffic detected without corresponding DNS query: 153.114.232.183
Source: unknown	TCP traffic detected without corresponding DNS query: 39.228.186.44
Source: unknown	TCP traffic detected without corresponding DNS query: 223.90.174.102
Source: unknown	TCP traffic detected without corresponding DNS query: 248.159.48.135
Source: unknown	TCP traffic detected without corresponding DNS query: 136.58.3.105
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.50.185
Source: unknown	TCP traffic detected without corresponding DNS query: 120.112.118.222
Source: unknown	TCP traffic detected without corresponding DNS query: 75.116.81.194

Source: 1Zn1o0ho0d

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 1Zn1o0ho0d, type: SAMPLE

Sample tries to kill a process (SIGKILL)

Source: /tmp/1Zn1o0ho0d (PID: 5335)

SIGKILL sent: pid: 936, result: successful

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.lin@0/57@0/0

Source: 1Zn1o0ho0d

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5335)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2156/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1629/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1627/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1900/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5200/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5201/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2294/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2050/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1877/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1633/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1599/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1632/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1477/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1476/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1872/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2048/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1475/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2289/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5038/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1639/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/4503/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1638/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2208/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2180/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5331/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1809/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1494/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1890/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2063/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/2062/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1888/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1886/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1489/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/1642/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5329)	File opened: /proc/5329/fd	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/sbin/logrotate (PID: 5296)	Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5307)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5312)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/mail.info/var/log/mail.warn/var/log/mail.err/var/log/mail.log/var/log/daemon.log/var/log/kern.log/var/log/auth.log/var/log/user.log/var/log/lpr.log/var/log/cron.log/var/log/debug/var/log/messages	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35930
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35932
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35934
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35936
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35946
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35964

Malware Analysis System Evasion:

Deletes log files

Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/cups/access_log.1	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/syslog.1	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/kern.log.1	Jump to behavior
Source: /usr/sbin/logrotate (PID: 5216)	Truncated file: /var/log/auth.log.1	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /usr/bin/find (PID: 5294)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/1Zn1o0ho0d (PID: 5327)	Queries kernel information via 'uname':			Jump to behavior

Source: 5300.20.dr	Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5300.20.dr	Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5300.20.dr	Binary or memory string: qemu-or1k
Source: 5300.20.dr	Binary or memory string: qemu-riscv64
Source: 5300.20.dr	Binary or memory string: {cqemu
Source: 5300.20.dr	Binary or memory string: qemu-arm
Source: 5300.20.dr	Binary or memory string: (qemu
Source: 5300.20.dr	Binary or memory string: qemu-tilegx
Source: 5300.20.dr	Binary or memory string: qemu-hppa
Source: 5300.20.dr	Binary or memory string: q{rqemu%
Source: 5300.20.dr	Binary or memory string: )qemu
Source: 5300.20.dr	Binary or memory string: vmware-toolbox-cmd
Source: 5300.20.dr	Binary or memory string: qemu-ppc
Source: 5300.20.dr	Binary or memory string: Tqemu9
Source: 1Zn1o0ho0d, 5327.1.000000007c8b21e6.000000009461895e.rw-.sdmp	Binary or memory string: m}U!/etc/qemu-binfmt/arm
Source: 5300.20.dr	Binary or memory string: qemu-aarch64_be
Source: 5300.20.dr	Binary or memory string: 0qemu9
Source: 5300.20.dr	Binary or memory string: qemu-sparc64
Source: 5300.20.dr	Binary or memory string: qemu-mips64
Source: 5300.20.dr	Binary or memory string: vV:qemu9
Source: 5300.20.dr	Binary or memory string: qemu-ppc64le
Source: 5300.20.dr	Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5300.20.dr	Binary or memory string: vmware
Source: 5300.20.dr	Binary or memory string: qemu-cris
Source: 5300.20.dr	Binary or memory string: libvmtools
Source: 5300.20.dr	Binary or memory string: qemu-m68k
Source: 5300.20.dr	Binary or memory string: qemu-xtensa
Source: 5300.20.dr	Binary or memory string: 9qemu
Source: 5300.20.dr	Binary or memory string: qemu-sh4
Source: 5300.20.dr	Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: 1Zn1o0ho0d, 5327.1.000000007c8b21e6.000000009461895e.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 5300.20.dr	Binary or memory string: .qemu{
Source: 5300.20.dr	Binary or memory string: qemu-ppc64abi32
Source: 5300.20.dr	Binary or memory string: qemu-ppc64
Source: 5300.20.dr	Binary or memory string: qemu-i386
Source: 5300.20.dr	Binary or memory string: qemu-x86_64
Source: 5300.20.dr	Binary or memory string: H~6\nqemu*q
Source: 5300.20.dr	Binary or memory string: @qemu
Source: 5300.20.dr	Binary or memory string: Fqqemu
Source: 5300.20.dr	Binary or memory string: N4qemu
Source: 5300.20.dr	Binary or memory string: ~6\nqemu*q
Source: 5300.20.dr	Binary or memory string: qemu-mips64el
Source: 5300.20.dr	Binary or memory string: hqemu
Source: 5300.20.dr	Binary or memory string: &mqemu
Source: 5300.20.dr	Binary or memory string: $qemu
Source: 5300.20.dr	Binary or memory string: qemu-sparc
Source: 5300.20.dr	Binary or memory string: qemu-microblaze
Source: 5300.20.dr	Binary or memory string: qemu-user
Source: 5300.20.dr	Binary or memory string: qemu-aarch64
Source: 5300.20.dr	Binary or memory string: qemu-sh4eb
Source: 5300.20.dr	Binary or memory string: iqemu
Source: 5300.20.dr	Binary or memory string: qemu-mipsel
Source: 5300.20.dr	Binary or memory string: qemuP`
Source: 5300.20.dr	Binary or memory string: qemu-alpha
Source: 1Zn1o0ho0d, 5327.1.000000009573088f.00000000c9a6208a.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/1Zn1o0ho0dSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/1Zn1o0ho0d
Source: 5300.20.dr	Binary or memory string: qemu-microblazeel
Source: 5300.20.dr	Binary or memory string: \qemu
Source: 5300.20.dr	Binary or memory string: qemu-xtensaeb
Source: 5300.20.dr	Binary or memory string: qemu-mipsn32el
Source: 5300.20.dr	Binary or memory string: SAqemu
Source: 5300.20.dr	Binary or memory string: Vqemu
Source: 5300.20.dr	Binary or memory string: qemu-mipsn32
Source: 5300.20.dr	Binary or memory string: qemuAU
Source: 5300.20.dr	Binary or memory string: qemu-riscv32
Source: 5300.20.dr	Binary or memory string: qemu-sparc32plus
Source: 5300.20.dr	Binary or memory string: 7,qemu
Source: 5300.20.dr	Binary or memory string: qemu-s390x
Source: 5300.20.dr	Binary or memory string: vmware-checkvm
Source: 5300.20.dr	Binary or memory string: qemu-nios2
Source: 5300.20.dr	Binary or memory string: qemu-armeb
Source: 5300.20.dr	Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5300.20.dr	Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5300.20.dr	Binary or memory string: I_qemu
Source: 1Zn1o0ho0d, 5327.1.000000009573088f.00000000c9a6208a.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 5300.20.dr	Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5300.20.dr	Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5300.20.dr	Binary or memory string: qemu-mips
Source: 5300.20.dr	Binary or memory string: qemuj\
Source: 5300.20.dr	Binary or memory string: {qemuQ&
Source: 5300.20.dr	Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5300.20.dr	Binary or memory string: vmware-xferlogs

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	517072
Product:	CloudBasic
Start time:	00:06:07
Start date:	07.11.2021
Sample:	1Zn1o0ho0d
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	7cd969c5a935efb39614b9e088682e2d
SHA1:	142387e6dddad723345106a8a2d4bbc96527387c
SHA256:	e46d2e7b074443218de80066a68ae9e146f8d8fdd22b624f619d7f486e4036b8
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5363/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	8C860A10AEE8D3784E2C15B2F713F88C	16474DDF36C7BBEE868CF794185342CDFA76E744	DC4E490E080F690198F7C015FD79AC89180E167C0681CA057DA27C25F2C1E044
/var/cache/man/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	0C99179B6C5CFE82203424AD7DAD0D8F	CAC50B64B1352723FF8F58BB1B103B93C396539B	CEC6859D12C6A981ACA4D7C88F6E62E9616FB4D765C4A52147A7DA7BAD4F2420
/var/cache/man/cs/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	D0CA2EBA9E7A17D4680AA9DDC5F88946	270F443EFF85209052AE8FFA86660AFB0FAAD39B	9504DC65F8B4E057D0939FA3B2C640FC703D0290EE19381836BAA5EB3EFBADBD
/var/cache/man/cs/index.db.Onw9QX	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/da/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	4DF08004EE4C5384C02376841F2B50BC	C02E58212CA012913390B4C1CCD64DD3353009EE	F4D6A62A734E2844B99F3AD0EB480373AFBE56B29C0CFC9C70D9DFDF19D95C02
/var/cache/man/da/index.db.FoOYaW	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/de/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	43F277369443EBC4DF558940CC383C81	F9A8BDDCF57AE12FC0E04D6C1C6EF1066995817A	A4039029DD3E83F746E70009F20A1E8E788101944B494F13ADD0660220D14F84
/var/cache/man/de/index.db.QGw5IY	GNU dbm 1.x or ndbm database, little endian, 64-bit	55880A8B73FD160B73198E09A21C83DB	5EB780702D2501747AF46F7525EF5C635EC5E64C	66BD4C98AF40E2E208AC102ACD0F555A6C118E7258D91B833BE1D53EBFFB7BBB
/var/cache/man/es/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	3DBF4FF017D406F407BFBC2011BCAE9E	FF64864ACA18DFA7869715CE8AA5ECC3DABA54B6	640C040F364061A5825E913682798C9BC8E1081088894D3FEB2C3EC39D02A379
/var/cache/man/es/index.db.dgcKLV	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/fi/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	09F6ED1A60B8A4203EA97CF5926C6AFF	C28F4E393D55AD057E3C7608741904B796F67076	56664D61D0BB8BF34CCA28C73CB314CB73EA1C4FAC64D2208B43F63C009FC855
/var/cache/man/fi/index.db.W1gZ9W	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr.ISO8859-1/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	43ADE2E40B8B5A0DFA0A155FC9A02F7F	3D04BDFFD0E2A8433150C87D334014099336A5C5	81E48EE4653A5E6F25C33133F24F045EB1EB2CC6724ECE0C5336612AB711273E
/var/cache/man/fr.ISO8859-1/index.db.uzjeWY	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr.UTF-8/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	43ADE2E40B8B5A0DFA0A155FC9A02F7F	3D04BDFFD0E2A8433150C87D334014099336A5C5	81E48EE4653A5E6F25C33133F24F045EB1EB2CC6724ECE0C5336612AB711273E
/var/cache/man/fr.UTF-8/index.db.WXxpwV	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	7A052312252F87BF6BE0F2A7518CE338	8DF54AE5912234E4FCD10CC9338B943CDA07B0BB	8F7B2A71FCFE0C95CD34635429EB16BB0C81F170F6DCAFF8BF58DDB42D1DCE46
/var/cache/man/fr/index.db.7Jfu6Y	GNU dbm 1.x or ndbm database, little endian, 64-bit	425CB57CD9B42556C8089FE7A7A3E495	4F33F9A9897218FDED958FD8F8D7AF7CD8BC48F3	85E01EFF2AC0C83C827E118D5CE2CD1E1A19E059688B6E0D09CB3CC131F065D3
/var/cache/man/hu/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	18F02B57872A97DE1E82FF5348A5AF1B	52F332343B120B1C950AC02B3C923556C70DC62A	5C605DE68B3E05754698485F73413F4052AEA8C3AAE6012AC6416B3B6B056DF7
/var/cache/man/hu/index.db.QlkYJY	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/id/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	3AFDA1B0F729816929FF7A6628D776D5	5982940A5782F11AEB5BF859C055DE3FEFBDF5DB	77809D5F38F6D96A2E8BA9BE0DFBB16C10B6B1FF7D2BA1DD5FB9437F73C47E7F
/var/cache/man/id/index.db.ynpWnW	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/index.db.I1I3AY	GNU dbm 1.x or ndbm database, little endian, 64-bit	2E442DBA85DEDFDCB07090FDF9DE90D0	02658086E93854D13D82B1F0D80F4B78D26DCA51	62406BFE7657964E490DE65A0007F7C1D59B62B2B9AD35BA55BA219673378848
/var/cache/man/it/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	B228DE097081AF360D337CF8C8FF2C6F	7DD2C4640925B225F98014566F73C35F4E960940	1056CECADA78542B173EE469C9BEAF61F81298EBBD21B54EA6EE449028E18B3F
/var/cache/man/it/index.db.Exq1YX	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/ja/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	D3CD7D67F8155491493BB7235FB9AA57	5A7AE62A7AFE50EFCCED06CBD56AE2A0A284EFF3	6958349ECA637F99AABC419B5E402CFB50BC5B8867F31BCB67F064F47A209929
/var/cache/man/ja/index.db.JI89oW	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/ko/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	FBA25855E1C99D8F87E8AC13E2E2ECB1	D99351AC40D6CC4C9BE54E0E018C44A9A88983D7	C0E18ED1CEFF427FD4D57D1B79CE1AF7320AC8453BAF8A0349C08267464C4D71
/var/cache/man/ko/index.db.swYhLW	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/nl/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	27FED1CA8EB0101C459D9A617C833293	503B2A3E33FE79FF2CD58F831ED33DB358849BEA	C3033C4F7CF0D6108611EF5A62CA893F98EE6463DDCFF7100D3BAFDEB0036D9E
/var/cache/man/nl/index.db.sJMmVV	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/pl/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	37CEBCD3F5BF6322785FFF568EE33131	201298C827C77C60CD314BF721DC4C27EF95BD64	012C5597C5DD8654EB14432AFCEFD9B131F2CE75AD21488991A5A688929AAEA6
/var/cache/man/pl/index.db.u4IrDY	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/pt/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	782FF89B6FA5932F7019AF9CF3F82E43	2ECE8DC134E3A292E2545AA2DCD24114A5FC5749	01E77D9235C524F2A61EA03953607C13831C391A5B9AB0D9094F9C38F0EEB02E
/var/cache/man/pt/index.db.vwLmmW	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/pt_BR/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	A11F5E85A2A07AF84255570AE29318FB	D06BF25E5FD4A17BCF7C5BD77ACD747F0FE181E8	8FFA8BC408B254217275A622D054853CB72B08409A11AA49C4C664C0DABFB62F
/var/cache/man/pt_BR/index.db.CT6JfW	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/ru/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	DF5C1114538C5D8EA1EE929FFAC24E3C	B6331AF77566B63EA8204BE85F5DC99FAF51479E	F238C75DAD82E10AB011A9BF79775B2A5F5889644A5A06835933340845A08555
/var/cache/man/ru/index.db.2a8RLX	GNU dbm 1.x or ndbm database, little endian, 64-bit	5B66CE03BFE548DEE335E0518E4E0554	65397845DC679AA972454B0FF237A513C0F490CB	C38BB21B1D92166794DC09807C9A55B67B0A760C684FEEDD0C931F8415DD6D29
/var/cache/man/sl/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	67697BEA7C23E4805A82FE9755BB3CAE	14ACAFF0BECBDB116E4C0BC329E59DEF68CF46D1	553DA7FF76999B7CCC4450498B11E6BD98B3B1E5FF81D82A53568F84B0D270D5
/var/cache/man/sl/index.db.gqQzfW	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/sr/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	0DD75ECC81E4E564EA56A57FF32A24D3	859C0FE5F86A2C5A32BAD7920787BE845F34C4FB	DB778B175D19DEFA4180D0B12D675AD0B8B22CC4BB77702D9EC8510F894EB3B1
/var/cache/man/sr/index.db.J0vZPY	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/sv/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	D97454D6B1F39F39966A809BCA3D9647	276931CED8F34B7651C1BDFC8522FF0560E2C377	DCB8CE7F4F21595D851100F315C56B717541DB898AEB9ED9C0CCC9FF217A5801
/var/cache/man/sv/index.db.GflUYW	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/tr/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	5F905B930E7310E72BC3DF5C50F8E579	50B1AD3115F095C743CB26F87ECCE406FAC3523B	1DB72BA77CA01F25CA9768999825D8F97F5ED4D00E17C9130D6F7CDE34130270
/var/cache/man/tr/index.db.VD2vNZ	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/zh_CN/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	39398A15564A55EB7BFE895D7668A5A3	28DA677435B87176E08AFABBF8B51F7B93E22948	A4C0216476E357ED3A23E71333DBE7DE91E04370EF049032EE8E47BB1EDBD83B
/var/cache/man/zh_CN/index.db.RhMtYV	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/zh_TW/5300	GNU dbm 1.x or ndbm database, little endian, 64-bit	1FC5F2B98E5BC25B10373353D91B86B1	D848DA35B0731328195D59C1E996B95C4952F1F9	509FAD18B4454CD70D974755F6156D4A5FA9B960AB9FF468D1FC350F0B64F379
/var/cache/man/zh_TW/index.db.8WFIUY	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/lib/logrotate/status.tmp	ASCII text	8F24260307868E44DB6907B970544C10	BE4E8249292AE7D2E0150E1FA60BF4F205866BD1	C25CEEBE193150F8DE086C777781D1933D260878761ACAC046A0E1054D0FE705
/var/log/auth.log.1.gz	gzip compressed data, last modified: Fri Sep 17 09:23:57 2021, from Unix	2F6A7144B926296144698133822B3306	504BACCB3CFAD4D1F0B8C762B51C11EE9E4763BC	2CAF9CAD85BE60CCD515E587651357C7A673F32886D720F640175B0985DF2488
/var/log/cups/access_log.1.gz	gzip compressed data, last modified: Sat Nov 6 23:06:14 2021, from Unix	81670C36C00700D4FDCA64EBEAD642A7	AB0C37D63AE1FDF36162C1E9B39167642F889614	E718AEF48784FAB9F08AE5F38CABE8BF710FAABE1C0B61D44A710945ED97AF8E
/var/log/kern.log.1.gz	gzip compressed data, last modified: Fri Sep 17 09:23:55 2021, from Unix	BE2907D385A629290947B37CB5939E31	D28A077D7C9009808F7AE5C0D8812B2E21E22AFA	7EB5B429F62B57696F969054B02023F26C1E3759243AB776C671F567C1C46A33
/var/log/syslog.1.gz	gzip compressed data, last modified: Sat Nov 6 23:06:14 2021, from Unix	6C6886FD66F72E0A99D8E6E5F32BAE03	C8A08142E1D3F861A6CF0C779616A49C634741D1	DA6A080D12F8C029E0C7F1289A64BC76709A025689E1D1E3DECB142C4E1D5915

Linux Analysis Report 1Zn1o0ho0d

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs