Linux Analysis Report gL6zNW1uNj

Overview

General Information

Sample Name:	gL6zNW1uNj
Analysis ID:	519630
MD5:	deee0487e17b20a74a1757f36e92a240
SHA1:	865c8c7d1b4d725220d58075839e1429820e3465
SHA256:	9ad0477757b6e3b5808cb2ef7b0a53c58823ab63339d8575f454341446bf2b14
Tags:	32elfmiraisparc
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: gL6zNW1uNj	Virustotal: Detection: 49%			Perma Link
Source: gL6zNW1uNj	ReversingLabs: Detection: 55%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.28.78.146:23 -> 192.168.2.23:36426
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58354
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58362
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58366
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58390
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58396
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58404
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58408
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58414
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58418
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58424
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37474
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37490
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 170.39.121.45:23 -> 192.168.2.23:50994
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 170.39.121.45:23 -> 192.168.2.23:50994
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37510
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54818
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54832
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37550
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54858
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54858
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37580
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54894
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54894
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37620
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37662
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 170.39.121.45:23 -> 192.168.2.23:51202
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 170.39.121.45:23 -> 192.168.2.23:51202
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55030
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55030
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55034
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55046
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55046
Source: Traffic	Snort IDS: 716 INFO TELNET access 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 68.115.186.41:23 -> 192.168.2.23:43838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 68.115.186.41:23 -> 192.168.2.23:43838
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55096
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55096
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.113.244.20:23 -> 192.168.2.23:49610
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.113.244.20:23 -> 192.168.2.23:49610
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55134
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55134

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39944
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39948
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56752

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:44384 -> 86.126.191.187:1312

Sample listens on a socket

Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 5286)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5286)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5304)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5304)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 86.126.191.187
Source: unknown	TCP traffic detected without corresponding DNS query: 154.206.38.139
Source: unknown	TCP traffic detected without corresponding DNS query: 101.130.129.147
Source: unknown	TCP traffic detected without corresponding DNS query: 8.204.194.128
Source: unknown	TCP traffic detected without corresponding DNS query: 47.125.240.84
Source: unknown	TCP traffic detected without corresponding DNS query: 57.8.81.223
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.220.217
Source: unknown	TCP traffic detected without corresponding DNS query: 73.46.136.207
Source: unknown	TCP traffic detected without corresponding DNS query: 192.89.191.6
Source: unknown	TCP traffic detected without corresponding DNS query: 60.64.228.232
Source: unknown	TCP traffic detected without corresponding DNS query: 75.203.207.217
Source: unknown	TCP traffic detected without corresponding DNS query: 163.88.47.71
Source: unknown	TCP traffic detected without corresponding DNS query: 42.237.32.248
Source: unknown	TCP traffic detected without corresponding DNS query: 150.221.199.109
Source: unknown	TCP traffic detected without corresponding DNS query: 19.0.217.207
Source: unknown	TCP traffic detected without corresponding DNS query: 250.16.28.79
Source: unknown	TCP traffic detected without corresponding DNS query: 107.252.94.222
Source: unknown	TCP traffic detected without corresponding DNS query: 192.50.222.74
Source: unknown	TCP traffic detected without corresponding DNS query: 107.117.147.93
Source: unknown	TCP traffic detected without corresponding DNS query: 169.138.96.213
Source: unknown	TCP traffic detected without corresponding DNS query: 18.96.158.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.67.244.33
Source: unknown	TCP traffic detected without corresponding DNS query: 57.244.27.55
Source: unknown	TCP traffic detected without corresponding DNS query: 184.217.61.34
Source: unknown	TCP traffic detected without corresponding DNS query: 252.137.132.179
Source: unknown	TCP traffic detected without corresponding DNS query: 118.232.80.207
Source: unknown	TCP traffic detected without corresponding DNS query: 18.182.98.193
Source: unknown	TCP traffic detected without corresponding DNS query: 192.9.42.7
Source: unknown	TCP traffic detected without corresponding DNS query: 205.187.71.176
Source: unknown	TCP traffic detected without corresponding DNS query: 252.97.60.34
Source: unknown	TCP traffic detected without corresponding DNS query: 178.239.202.195
Source: unknown	TCP traffic detected without corresponding DNS query: 18.169.214.44
Source: unknown	TCP traffic detected without corresponding DNS query: 54.118.2.114
Source: unknown	TCP traffic detected without corresponding DNS query: 248.61.246.8
Source: unknown	TCP traffic detected without corresponding DNS query: 141.234.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 77.48.99.254
Source: unknown	TCP traffic detected without corresponding DNS query: 174.251.29.219
Source: unknown	TCP traffic detected without corresponding DNS query: 87.1.84.37
Source: unknown	TCP traffic detected without corresponding DNS query: 125.240.72.254
Source: unknown	TCP traffic detected without corresponding DNS query: 173.0.147.247
Source: unknown	TCP traffic detected without corresponding DNS query: 116.223.177.216
Source: unknown	TCP traffic detected without corresponding DNS query: 8.222.84.87
Source: unknown	TCP traffic detected without corresponding DNS query: 194.198.169.176
Source: unknown	TCP traffic detected without corresponding DNS query: 150.84.116.130
Source: unknown	TCP traffic detected without corresponding DNS query: 162.165.39.78
Source: unknown	TCP traffic detected without corresponding DNS query: 249.204.91.17
Source: unknown	TCP traffic detected without corresponding DNS query: 191.49.123.189
Source: unknown	TCP traffic detected without corresponding DNS query: 184.250.54.229
Source: unknown	TCP traffic detected without corresponding DNS query: 133.148.41.181
Source: unknown	TCP traffic detected without corresponding DNS query: 120.97.159.124

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/gL6zNW1uNj (PID: 5241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5273, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5250, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5280, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5286, result: successful	Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/gL6zNW1uNj (PID: 5241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5273, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5250, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5280, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5286, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.lin@0/4@0/0

Source: gL6zNW1uNj

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5145/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39944
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39948
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56752

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/gL6zNW1uNj (PID: 5239)

Queries kernel information via 'uname':

Jump to behavior

Source: gL6zNW1uNj, 5239.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: gL6zNW1uNj, 5239.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: gL6zNW1uNj, 5298.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: gL6zNW1uNj, 5239.1.0000000082bb98ad.00000000d33cd321.rw-.sdmp	Binary or memory string: {wx86_64/usr/bin/qemu-sparc/tmp/gL6zNW1uNjSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gL6zNW1uNj
Source: gL6zNW1uNj, 5298.1.00000000f91ff669.000000003459bf12.rw-.sdmp	Binary or memory string: U/sparc/10 /usr/bin/qemu-sparc!/proc/5268/fd/111
Source: gL6zNW1uNj, 5239.1.0000000082bb98ad.00000000d33cd321.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: gL6zNW1uNj, 5298.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: U1/usr/bin/vmtoolsdparc/10!/proc/1890/fd/48!/proc/1642/exeP

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
197.153.61.25	unknown	Morocco	36925	ASMediMA	false
151.86.44.187	unknown	Italy	8217	ASN-ENIIT	false
107.18.149.250	unknown	United States	14654	WAYPORTUS	false
243.122.7.203	unknown	Reserved	unknown	unknown	false
83.81.157.142	unknown	Netherlands	33915	TNF-ASNL	false
170.201.71.125	unknown	United States	10995	PNCBANKUS	false
160.242.103.111	unknown	Namibia	33763	Paratus-TelecomNA	false
152.88.139.42	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
88.73.217.49	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
191.85.197.196	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
195.161.24.251	unknown	Russian Federation	8342	RTCOMM-ASRU	false
34.154.113.0	unknown	United States	2686	ATGS-MMD-ASUS	false
27.104.108.182	unknown	Singapore	4773	MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePr	false
204.189.141.189	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
85.248.170.96	unknown	Slovakia (SLOVAK Republic)	5578	AS-BENESTRABratislavaSlovakRepublicSK	false
81.43.97.163	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
9.99.10.49	unknown	United States	3356	LEVEL3US	false
193.18.64.58	unknown	Germany	41099	GLOBALREACHGB	false
78.143.58.128	unknown	Germany	34309	LINK11Link11GmbHDE	false
159.142.240.78	unknown	United States	2714	GSA-GOVUS	false
83.195.47.1	unknown	France	3215	FranceTelecom-OrangeFR	false
100.39.34.187	unknown	United States	5650	FRONTIER-FRTRUS	false
35.155.144.153	unknown	United States	16509	AMAZON-02US	false
89.82.103.245	unknown	France	5410	BOUYGTEL-ISPFR	false
206.156.198.155	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
63.15.73.8	unknown	United States	701	UUNETUS	false
102.248.204.116	unknown	South Africa	5713	SAIX-NETZA	false
247.105.76.221	unknown	Reserved	unknown	unknown	false
248.44.16.163	unknown	Reserved	unknown	unknown	false
135.205.234.119	unknown	United States	6431	ATT-RESEARCHUS	false
87.1.84.37	unknown	Italy	3269	ASN-IBSNAZIT	false
241.35.160.0	unknown	Reserved	unknown	unknown	false
246.89.40.146	unknown	Reserved	unknown	unknown	false
168.82.87.233	unknown	United States	8103	STATE-OF-FLAUS	false
65.33.229.36	unknown	United States	33363	BHN-33363US	false
5.247.253.74	unknown	Saudi Arabia	34400	ASN-ETTIHADETISALATSA	false
157.138.8.249	unknown	Italy	137	ASGARRConsortiumGARREU	false
216.202.137.20	unknown	United States	3356	LEVEL3US	false
80.248.16.53	unknown	Iceland	29689	ORIGO-ASIS	false
24.93.166.148	unknown	United States	10796	TWC-10796-MIDWESTUS	false
18.160.223.44	unknown	United States	3	MIT-GATEWAYSUS	false
157.222.204.52	unknown	United States	4704	SANNETRakutenMobileIncJP	false
213.60.172.111	unknown	Spain	12334	Galicia-SpainES	false
75.223.213.59	unknown	United States	22394	CELLCOUS	false
111.243.11.20	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
162.239.12.7	unknown	United States	7018	ATT-INTERNET4US	false
14.185.213.79	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
211.200.115.186	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
177.244.147.186	unknown	Mexico	13999	MegaCableSAdeCVMX	false
173.81.96.181	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
114.159.61.103	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
169.156.132.11	unknown	United States	6189	EPFL-ASUS	false
110.26.118.12	unknown	Taiwan; Republic of China (ROC)	9674	FET-TWFarEastToneTelecommunicationCoLtdTW	false
216.189.140.106	unknown	United States	21902	WCTAUS	false
122.109.133.175	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
179.161.68.206	unknown	Brazil	26599	TELEFONICABRASILSABR	false
95.39.201.172	unknown	Spain	12357	COMUNITELSPAINES	false
221.190.17.112	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
142.14.127.103	unknown	Canada	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
241.207.254.214	unknown	Reserved	unknown	unknown	false
169.86.62.36	unknown	United States	37611	AfrihostZA	false
207.123.43.254	unknown	United States	3356	LEVEL3US	false
122.224.85.220	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
193.146.135.162	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
244.39.205.7	unknown	Reserved	unknown	unknown	false
18.40.249.230	unknown	United States	3	MIT-GATEWAYSUS	false
202.93.232.234	unknown	Indonesia	38758	HYPERNET-AS-IDPTHIPERNETINDODATAID	false
155.199.164.179	unknown	United States	786	JANETJiscServicesLimitedGB	false
220.195.123.67	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
119.159.35.25	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
101.208.151.88	unknown	India	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
91.18.128.136	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
194.52.199.122	unknown	Sweden	31529	DENIC-ANYCAST-ASDNSanycastASobjectforDEDNSservice	false
23.50.220.217	unknown	United States	16625	AKAMAI-ASUS	false
98.146.118.80	unknown	United States	10838	OCEANIC-INTERNET-RRUS	false
203.168.187.234	unknown	Hong Kong	9908	HKCABLE2-HK-APHKCableTVLtdHK	false
176.212.43.225	unknown	Russian Federation	57378	ROSTOV-ASRU	false
48.38.254.123	unknown	United States	2686	ATGS-MMD-ASUS	false
53.176.103.106	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
152.223.201.108	unknown	United States	30313	IRSUS	false
102.55.170.247	unknown	Morocco	6713	IAM-ASMA	false
114.123.47.5	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
61.55.8.196	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
251.25.189.68	unknown	Reserved	unknown	unknown	false
14.120.104.110	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
68.147.7.93	unknown	Canada	6327	SHAWCA	false
97.20.172.125	unknown	United States	22394	CELLCOUS	false
41.152.76.227	unknown	Egypt	36992	ETISALAT-MISREG	false
48.131.158.196	unknown	United States	2686	ATGS-MMD-ASUS	false
106.26.169.88	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
130.252.51.239	unknown	United States	14365	ADOBE-NETUS	false
155.54.253.41	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
8.2.139.206	unknown	United States	3356	LEVEL3US	false
75.235.78.135	unknown	United States	22394	CELLCOUS	false
36.131.159.191	unknown	China	56044	CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC	false
100.49.35.79	unknown	United States	701	UUNETUS	false
166.14.24.193	unknown	Switzerland	11798	ACEDATACENTERS-AS-1US	false
246.125.194.19	unknown	Reserved	unknown	unknown	false
223.218.222.111	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
103.140.138.184	unknown	Malaysia	133936	X86NETWORK-AS-APX86NetworkSdnBhdMY	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: gL6zNW1uNj	Virustotal: Detection: 49%			Perma Link
Source: gL6zNW1uNj	ReversingLabs: Detection: 55%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.28.78.146:23 -> 192.168.2.23:36426
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58354
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58362
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58366
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58390
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58396
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58404
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58408
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58414
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58418
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.133.7.233:23 -> 192.168.2.23:58424
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37474
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37482
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37490
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 170.39.121.45:23 -> 192.168.2.23:50994
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 170.39.121.45:23 -> 192.168.2.23:50994
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37510
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54818
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54832
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37550
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54858
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54858
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37580
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:54894
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:54894
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37620
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.168.61.85:23 -> 192.168.2.23:37662
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 170.39.121.45:23 -> 192.168.2.23:51202
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 170.39.121.45:23 -> 192.168.2.23:51202
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55030
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55030
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55034
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55046
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55046
Source: Traffic	Snort IDS: 716 INFO TELNET access 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 68.115.186.41:23 -> 192.168.2.23:43838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 68.115.186.41:23 -> 192.168.2.23:43838
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 179.92.78.179:23 -> 192.168.2.23:36676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55096
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55096
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.113.244.20:23 -> 192.168.2.23:49610
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.113.244.20:23 -> 192.168.2.23:49610
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 104.153.142.22:23 -> 192.168.2.23:55134
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 104.153.142.22:23 -> 192.168.2.23:55134

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39944
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39948
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56752

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:44384 -> 86.126.191.187:1312

Sample listens on a socket

Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 5286)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5286)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5304)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5304)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 86.126.191.187
Source: unknown	TCP traffic detected without corresponding DNS query: 154.206.38.139
Source: unknown	TCP traffic detected without corresponding DNS query: 101.130.129.147
Source: unknown	TCP traffic detected without corresponding DNS query: 8.204.194.128
Source: unknown	TCP traffic detected without corresponding DNS query: 47.125.240.84
Source: unknown	TCP traffic detected without corresponding DNS query: 57.8.81.223
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.220.217
Source: unknown	TCP traffic detected without corresponding DNS query: 73.46.136.207
Source: unknown	TCP traffic detected without corresponding DNS query: 192.89.191.6
Source: unknown	TCP traffic detected without corresponding DNS query: 60.64.228.232
Source: unknown	TCP traffic detected without corresponding DNS query: 75.203.207.217
Source: unknown	TCP traffic detected without corresponding DNS query: 163.88.47.71
Source: unknown	TCP traffic detected without corresponding DNS query: 42.237.32.248
Source: unknown	TCP traffic detected without corresponding DNS query: 150.221.199.109
Source: unknown	TCP traffic detected without corresponding DNS query: 19.0.217.207
Source: unknown	TCP traffic detected without corresponding DNS query: 250.16.28.79
Source: unknown	TCP traffic detected without corresponding DNS query: 107.252.94.222
Source: unknown	TCP traffic detected without corresponding DNS query: 192.50.222.74
Source: unknown	TCP traffic detected without corresponding DNS query: 107.117.147.93
Source: unknown	TCP traffic detected without corresponding DNS query: 169.138.96.213
Source: unknown	TCP traffic detected without corresponding DNS query: 18.96.158.1
Source: unknown	TCP traffic detected without corresponding DNS query: 116.67.244.33
Source: unknown	TCP traffic detected without corresponding DNS query: 57.244.27.55
Source: unknown	TCP traffic detected without corresponding DNS query: 184.217.61.34
Source: unknown	TCP traffic detected without corresponding DNS query: 252.137.132.179
Source: unknown	TCP traffic detected without corresponding DNS query: 118.232.80.207
Source: unknown	TCP traffic detected without corresponding DNS query: 18.182.98.193
Source: unknown	TCP traffic detected without corresponding DNS query: 192.9.42.7
Source: unknown	TCP traffic detected without corresponding DNS query: 205.187.71.176
Source: unknown	TCP traffic detected without corresponding DNS query: 252.97.60.34
Source: unknown	TCP traffic detected without corresponding DNS query: 178.239.202.195
Source: unknown	TCP traffic detected without corresponding DNS query: 18.169.214.44
Source: unknown	TCP traffic detected without corresponding DNS query: 54.118.2.114
Source: unknown	TCP traffic detected without corresponding DNS query: 248.61.246.8
Source: unknown	TCP traffic detected without corresponding DNS query: 141.234.1.205
Source: unknown	TCP traffic detected without corresponding DNS query: 77.48.99.254
Source: unknown	TCP traffic detected without corresponding DNS query: 174.251.29.219
Source: unknown	TCP traffic detected without corresponding DNS query: 87.1.84.37
Source: unknown	TCP traffic detected without corresponding DNS query: 125.240.72.254
Source: unknown	TCP traffic detected without corresponding DNS query: 173.0.147.247
Source: unknown	TCP traffic detected without corresponding DNS query: 116.223.177.216
Source: unknown	TCP traffic detected without corresponding DNS query: 8.222.84.87
Source: unknown	TCP traffic detected without corresponding DNS query: 194.198.169.176
Source: unknown	TCP traffic detected without corresponding DNS query: 150.84.116.130
Source: unknown	TCP traffic detected without corresponding DNS query: 162.165.39.78
Source: unknown	TCP traffic detected without corresponding DNS query: 249.204.91.17
Source: unknown	TCP traffic detected without corresponding DNS query: 191.49.123.189
Source: unknown	TCP traffic detected without corresponding DNS query: 184.250.54.229
Source: unknown	TCP traffic detected without corresponding DNS query: 133.148.41.181
Source: unknown	TCP traffic detected without corresponding DNS query: 120.97.159.124

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/gL6zNW1uNj (PID: 5241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5273, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5250, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5280, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5286, result: successful	Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/gL6zNW1uNj (PID: 5241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5273, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2191, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5250, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5280, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5281, result: successful	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	SIGKILL sent: pid: 5286, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.lin@0/4@0/0

Source: gL6zNW1uNj

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5241)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5261/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5262/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5263/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5264/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5265/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5266/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5145/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5267/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5268/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5260/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5258/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/gL6zNW1uNj (PID: 5247)	File opened: /proc/5259/exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39944
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39948
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39982
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54610
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54614
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54634
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56736
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56752

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/gL6zNW1uNj (PID: 5239)

Queries kernel information via 'uname':

Jump to behavior

Source: gL6zNW1uNj, 5239.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: gL6zNW1uNj, 5239.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: gL6zNW1uNj, 5298.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: gL6zNW1uNj, 5239.1.0000000082bb98ad.00000000d33cd321.rw-.sdmp	Binary or memory string: {wx86_64/usr/bin/qemu-sparc/tmp/gL6zNW1uNjSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gL6zNW1uNj
Source: gL6zNW1uNj, 5298.1.00000000f91ff669.000000003459bf12.rw-.sdmp	Binary or memory string: U/sparc/10 /usr/bin/qemu-sparc!/proc/5268/fd/111
Source: gL6zNW1uNj, 5239.1.0000000082bb98ad.00000000d33cd321.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: gL6zNW1uNj, 5298.1.00000000b1d99cf5.00000000f91ff669.rw-.sdmp	Binary or memory string: U1/usr/bin/vmtoolsdparc/10!/proc/1890/fd/48!/proc/1642/exeP

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	519630
Product:	CloudBasic
Start time:	23:51:08
Start date:	10.11.2021
Sample:	gL6zNW1uNj
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	deee0487e17b20a74a1757f36e92a240
SHA1:	865c8c7d1b4d725220d58075839e1429820e3465
SHA256:	9ad0477757b6e3b5808cb2ef7b0a53c58823ab63339d8575f454341446bf2b14
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5286/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/5304/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	C20A7ECD1C53AD9522EEDDA05994E0FF	4C58A470A925D0778306B17AF553D80D949DD3DD	4FA6BD7EB31F8EFFFE3EFAE78A995D530EB82462034F575AAF8163F46920EA78

Linux Analysis Report gL6zNW1uNj

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs