Linux Analysis Report yH3AxCHT3I

Overview

General Information

Sample Name:	yH3AxCHT3I
Analysis ID:	544729
MD5:	9065d02c3a51d27d6a930d838fa9d700
SHA1:	cdd354cd859054955116cc0476884ed3b77b4c93
SHA256:	0054cf56d6a4ef6e38ccaaf189be5f9a2e94781c8234ed52bec896fbc525d511
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: yH3AxCHT3I	Virustotal: Detection: 28%			Perma Link
Source: yH3AxCHT3I	ReversingLabs: Detection: 37%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50482
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50492
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50508
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50510
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50512
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50514
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50516
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38294
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.225.194.59:23 -> 192.168.2.23:54128
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38298
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38322
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38324

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:41864 -> 205.185.117.54:9506

Sample listens on a socket

Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::22	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /usr/sbin/sshd (PID: 5262)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.117.54
Source: unknown	TCP traffic detected without corresponding DNS query: 37.197.57.223
Source: unknown	TCP traffic detected without corresponding DNS query: 165.17.108.36
Source: unknown	TCP traffic detected without corresponding DNS query: 146.67.240.76
Source: unknown	TCP traffic detected without corresponding DNS query: 122.95.11.36
Source: unknown	TCP traffic detected without corresponding DNS query: 203.241.48.6
Source: unknown	TCP traffic detected without corresponding DNS query: 186.46.113.223
Source: unknown	TCP traffic detected without corresponding DNS query: 139.146.108.104
Source: unknown	TCP traffic detected without corresponding DNS query: 213.117.204.125
Source: unknown	TCP traffic detected without corresponding DNS query: 92.235.184.66
Source: unknown	TCP traffic detected without corresponding DNS query: 147.220.89.165
Source: unknown	TCP traffic detected without corresponding DNS query: 209.68.4.108
Source: unknown	TCP traffic detected without corresponding DNS query: 105.171.216.251
Source: unknown	TCP traffic detected without corresponding DNS query: 109.82.7.187
Source: unknown	TCP traffic detected without corresponding DNS query: 243.68.151.96
Source: unknown	TCP traffic detected without corresponding DNS query: 82.78.9.239
Source: unknown	TCP traffic detected without corresponding DNS query: 130.189.8.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.66.233.112
Source: unknown	TCP traffic detected without corresponding DNS query: 196.189.195.211
Source: unknown	TCP traffic detected without corresponding DNS query: 176.247.247.146
Source: unknown	TCP traffic detected without corresponding DNS query: 170.241.248.158
Source: unknown	TCP traffic detected without corresponding DNS query: 122.169.217.90
Source: unknown	TCP traffic detected without corresponding DNS query: 102.232.26.181
Source: unknown	TCP traffic detected without corresponding DNS query: 4.136.252.225
Source: unknown	TCP traffic detected without corresponding DNS query: 255.155.254.87
Source: unknown	TCP traffic detected without corresponding DNS query: 122.200.62.168
Source: unknown	TCP traffic detected without corresponding DNS query: 186.39.186.6
Source: unknown	TCP traffic detected without corresponding DNS query: 9.152.71.217
Source: unknown	TCP traffic detected without corresponding DNS query: 182.57.187.147
Source: unknown	TCP traffic detected without corresponding DNS query: 211.157.177.175
Source: unknown	TCP traffic detected without corresponding DNS query: 145.194.88.235
Source: unknown	TCP traffic detected without corresponding DNS query: 242.107.16.195
Source: unknown	TCP traffic detected without corresponding DNS query: 118.119.254.194
Source: unknown	TCP traffic detected without corresponding DNS query: 212.20.146.7
Source: unknown	TCP traffic detected without corresponding DNS query: 98.52.19.251
Source: unknown	TCP traffic detected without corresponding DNS query: 74.201.21.110
Source: unknown	TCP traffic detected without corresponding DNS query: 251.2.30.159
Source: unknown	TCP traffic detected without corresponding DNS query: 104.178.87.45
Source: unknown	TCP traffic detected without corresponding DNS query: 103.106.31.112
Source: unknown	TCP traffic detected without corresponding DNS query: 14.165.174.33
Source: unknown	TCP traffic detected without corresponding DNS query: 166.173.235.36
Source: unknown	TCP traffic detected without corresponding DNS query: 207.99.53.171
Source: unknown	TCP traffic detected without corresponding DNS query: 190.249.136.26
Source: unknown	TCP traffic detected without corresponding DNS query: 4.153.48.106
Source: unknown	TCP traffic detected without corresponding DNS query: 86.218.200.23
Source: unknown	TCP traffic detected without corresponding DNS query: 35.33.254.199
Source: unknown	TCP traffic detected without corresponding DNS query: 156.198.90.232
Source: unknown	TCP traffic detected without corresponding DNS query: 117.5.249.162
Source: unknown	TCP traffic detected without corresponding DNS query: 253.151.113.223
Source: unknown	TCP traffic detected without corresponding DNS query: 179.62.107.173

Source: yH3AxCHT3I

String found in binary or memory: http://upx.sf.net

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 5224.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5234.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5228.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Sample tries to kill a process (SIGKILL)

Source: /tmp/yH3AxCHT3I (PID: 5227)	SIGKILL sent: pid: 5233, result: successful	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	SIGKILL sent: pid: 936, result: successful	Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.lin@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5262/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5141/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5152/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5150/exe	Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/yH3AxCHT3I (PID: 5224)

Queries kernel information via 'uname':

Jump to behavior

Source: yH3AxCHT3I, 5224.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5228.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5233.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5234.1.000000007dcb2981.0000000062e7062f.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/yH3AxCHT3ISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yH3AxCHT3I
Source: yH3AxCHT3I, 5224.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5228.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5233.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5234.1.0000000014637705.0000000081fedbd8.rw-.sdmp	Binary or memory string: W#V!/etc/qemu-binfmt/arm
Source: yH3AxCHT3I, 5224.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5228.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5233.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5234.1.0000000014637705.0000000081fedbd8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: yH3AxCHT3I, 5224.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5228.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5233.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5234.1.000000007dcb2981.0000000062e7062f.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
81.141.55.38	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	false
163.53.56.189	unknown	China	56005	FASTIDCZhengzhouFastidcTechnologyCoLtdCN	false
184.27.0.99	unknown	United States	16625	AKAMAI-ASUS	false
41.140.93.155	unknown	Morocco	36903	MT-MPLSMA	false
60.3.49.65	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
41.211.25.148	unknown	Ghana	35091	TELEDATA-ASTeledataGhanaIL	false
37.14.40.204	unknown	Spain	12479	UNI2-ASES	false
248.18.198.212	unknown	Reserved	unknown	unknown	false
77.70.221.252	unknown	Norway	5377	MARLINK-EMEANO	false
109.59.137.164	unknown	Sweden	44034	HI3GSE	false
125.142.230.126	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
13.145.202.198	unknown	United States	7018	ATT-INTERNET4US	false
170.192.212.123	unknown	United States	11685	HNBCOL-ASUS	false
166.29.182.20	unknown	United States	206	CSC-IGN-AMERUS	false
66.224.112.73	unknown	United States	7385	ALLSTREAMUS	false
9.40.103.0	unknown	United States	3356	LEVEL3US	false
106.72.195.169	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
44.40.175.57	unknown	United States	20473	AS-CHOOPAUS	false
123.87.18.133	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
40.197.171.2	unknown	United States	4249	LILLY-ASUS	false
114.5.205.188	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
211.163.111.102	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
45.75.160.232	unknown	United Kingdom	49425	DIGITAL-REALTY-UKGB	false
200.199.40.172	unknown	Brazil	7738	TelemarNorteLesteSABR	false
58.237.168.215	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
123.108.189.204	unknown	Korea Republic of	10175	HCNKUMHO-AS-KRKumhoCableKR	false
155.250.111.153	unknown	Germany	13167	MERCK-KGAADarmstadtGermanyDE	false
34.109.90.207	unknown	United States	15169	GOOGLEUS	false
178.81.128.60	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
209.122.96.77	unknown	United States	6079	RCN-ASUS	false
5.24.137.60	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
63.148.160.65	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
249.223.115.142	unknown	Reserved	unknown	unknown	false
68.201.64.64	unknown	United States	11427	TWC-11427-TEXASUS	false
58.199.186.139	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
200.152.150.49	unknown	Brazil	28590	DirectnetPrestacaodeServicosLtdaBR	false
207.144.199.204	unknown	United States	22646	HARCOM1US	false
118.170.22.249	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
115.52.204.84	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
79.141.10.235	unknown	France	25540	ALPHALINK-ASFR	false
114.60.198.77	unknown	China	9812	CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN	false
177.145.138.208	unknown	Brazil	26599	TELEFONICABRASILSABR	false
32.185.230.113	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
113.55.196.3	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
18.140.158.93	unknown	United States	16509	AMAZON-02US	false
68.42.99.162	unknown	United States	7922	COMCAST-7922US	false
189.174.41.83	unknown	Mexico	8151	UninetSAdeCVMX	false
9.11.181.108	unknown	United States	3356	LEVEL3US	false
220.221.242.63	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
79.57.118.183	unknown	Italy	3269	ASN-IBSNAZIT	false
72.52.137.100	unknown	United States	32244	LIQUIDWEBUS	false
100.248.229.26	unknown	United States	21928	T-MOBILE-AS21928US	false
31.102.195.59	unknown	United Kingdom	12576	EELtdGB	false
173.223.114.161	unknown	United States	16625	AKAMAI-ASUS	false
35.122.244.156	unknown	United States	237	MERIT-AS-14US	false
193.13.86.3	unknown	Sweden	1257	TELE2EU	false
177.165.238.214	unknown	Brazil	26615	TIMSABR	false
101.162.4.142	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
121.188.110.123	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
75.75.74.187	unknown	United States	7922	COMCAST-7922US	false
5.130.84.210	unknown	Russian Federation	31200	NTKIPv6customersRU	false
255.210.145.196	unknown	Reserved	unknown	unknown	false
184.101.8.131	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
37.79.117.209	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
68.109.108.216	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
75.127.194.9	unknown	United States	6128	CABLE-NET-1US	false
99.34.80.250	unknown	United States	7018	ATT-INTERNET4US	false
200.122.108.186	unknown	Argentina	10481	TelecomArgentinaSAAR	false
165.243.24.41	unknown	Korea Republic of	4668	LGNET-AS-KRLGCNSKR	false
105.168.77.108	unknown	Angola	37119	unitel-ASAO	false
171.248.31.10	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
94.239.156.8	unknown	France	5410	BOUYGTEL-ISPFR	false
92.186.173.40	unknown	France	12479	UNI2-ASES	false
242.94.217.63	unknown	Reserved	unknown	unknown	false
83.7.185.173	unknown	Poland	5617	TPNETPL	false
20.161.36.36	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
88.53.30.66	unknown	Italy	3269	ASN-IBSNAZIT	false
105.154.88.139	unknown	Morocco	36903	MT-MPLSMA	false
189.76.171.77	unknown	Brazil	28358	INTERTELCOTELECOMUNICACOESMULTIMIDIALTDABR	false
100.128.95.133	unknown	United States	21928	T-MOBILE-AS21928US	false
218.239.129.52	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
83.211.190.35	unknown	Italy	15589	ASN-CLOUDITALIAIT	false
38.237.254.194	unknown	United States	174	COGENT-174US	false
66.251.214.57	unknown	United States	18624	CITYOFWILSONNCUS	false
39.198.18.103	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
197.109.134.51	unknown	South Africa	37168	CELL-CZA	false
117.63.65.234	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
82.1.18.205	unknown	United Kingdom	5089	NTLGB	false
173.79.81.100	unknown	United States	701	UUNETUS	false
201.180.141.26	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
156.94.210.118	unknown	United States	10695	WAL-MARTUS	false
94.82.238.146	unknown	Italy	3269	ASN-IBSNAZIT	false
17.139.38.27	unknown	United States	714	APPLE-ENGINEERINGUS	false
141.237.226.38	unknown	Greece	3329	HOL-GRAthensGreeceGR	false
154.47.211.221	unknown	United States	174	COGENT-174US	false
159.245.168.149	unknown	European Union	29899	GEISINGERUS	false
101.211.73.148	unknown	India	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
40.94.195.122	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
113.157.0.65	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
188.151.72.64	unknown	Norway	39651	COMHEM-SWEDENSE	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: yH3AxCHT3I	Virustotal: Detection: 28%			Perma Link
Source: yH3AxCHT3I	ReversingLabs: Detection: 37%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50482
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50492
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50508
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50510
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50512
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50514
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50516
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38294
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.225.194.59:23 -> 192.168.2.23:54128
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38298
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38322
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38324

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:41864 -> 205.185.117.54:9506

Sample listens on a socket

Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::22	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /usr/sbin/sshd (PID: 5262)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.117.54
Source: unknown	TCP traffic detected without corresponding DNS query: 37.197.57.223
Source: unknown	TCP traffic detected without corresponding DNS query: 165.17.108.36
Source: unknown	TCP traffic detected without corresponding DNS query: 146.67.240.76
Source: unknown	TCP traffic detected without corresponding DNS query: 122.95.11.36
Source: unknown	TCP traffic detected without corresponding DNS query: 203.241.48.6
Source: unknown	TCP traffic detected without corresponding DNS query: 186.46.113.223
Source: unknown	TCP traffic detected without corresponding DNS query: 139.146.108.104
Source: unknown	TCP traffic detected without corresponding DNS query: 213.117.204.125
Source: unknown	TCP traffic detected without corresponding DNS query: 92.235.184.66
Source: unknown	TCP traffic detected without corresponding DNS query: 147.220.89.165
Source: unknown	TCP traffic detected without corresponding DNS query: 209.68.4.108
Source: unknown	TCP traffic detected without corresponding DNS query: 105.171.216.251
Source: unknown	TCP traffic detected without corresponding DNS query: 109.82.7.187
Source: unknown	TCP traffic detected without corresponding DNS query: 243.68.151.96
Source: unknown	TCP traffic detected without corresponding DNS query: 82.78.9.239
Source: unknown	TCP traffic detected without corresponding DNS query: 130.189.8.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.66.233.112
Source: unknown	TCP traffic detected without corresponding DNS query: 196.189.195.211
Source: unknown	TCP traffic detected without corresponding DNS query: 176.247.247.146
Source: unknown	TCP traffic detected without corresponding DNS query: 170.241.248.158
Source: unknown	TCP traffic detected without corresponding DNS query: 122.169.217.90
Source: unknown	TCP traffic detected without corresponding DNS query: 102.232.26.181
Source: unknown	TCP traffic detected without corresponding DNS query: 4.136.252.225
Source: unknown	TCP traffic detected without corresponding DNS query: 255.155.254.87
Source: unknown	TCP traffic detected without corresponding DNS query: 122.200.62.168
Source: unknown	TCP traffic detected without corresponding DNS query: 186.39.186.6
Source: unknown	TCP traffic detected without corresponding DNS query: 9.152.71.217
Source: unknown	TCP traffic detected without corresponding DNS query: 182.57.187.147
Source: unknown	TCP traffic detected without corresponding DNS query: 211.157.177.175
Source: unknown	TCP traffic detected without corresponding DNS query: 145.194.88.235
Source: unknown	TCP traffic detected without corresponding DNS query: 242.107.16.195
Source: unknown	TCP traffic detected without corresponding DNS query: 118.119.254.194
Source: unknown	TCP traffic detected without corresponding DNS query: 212.20.146.7
Source: unknown	TCP traffic detected without corresponding DNS query: 98.52.19.251
Source: unknown	TCP traffic detected without corresponding DNS query: 74.201.21.110
Source: unknown	TCP traffic detected without corresponding DNS query: 251.2.30.159
Source: unknown	TCP traffic detected without corresponding DNS query: 104.178.87.45
Source: unknown	TCP traffic detected without corresponding DNS query: 103.106.31.112
Source: unknown	TCP traffic detected without corresponding DNS query: 14.165.174.33
Source: unknown	TCP traffic detected without corresponding DNS query: 166.173.235.36
Source: unknown	TCP traffic detected without corresponding DNS query: 207.99.53.171
Source: unknown	TCP traffic detected without corresponding DNS query: 190.249.136.26
Source: unknown	TCP traffic detected without corresponding DNS query: 4.153.48.106
Source: unknown	TCP traffic detected without corresponding DNS query: 86.218.200.23
Source: unknown	TCP traffic detected without corresponding DNS query: 35.33.254.199
Source: unknown	TCP traffic detected without corresponding DNS query: 156.198.90.232
Source: unknown	TCP traffic detected without corresponding DNS query: 117.5.249.162
Source: unknown	TCP traffic detected without corresponding DNS query: 253.151.113.223
Source: unknown	TCP traffic detected without corresponding DNS query: 179.62.107.173

Source: yH3AxCHT3I

String found in binary or memory: http://upx.sf.net

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 5224.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5234.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5228.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Sample tries to kill a process (SIGKILL)

Source: /tmp/yH3AxCHT3I (PID: 5227)	SIGKILL sent: pid: 5233, result: successful	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	SIGKILL sent: pid: 936, result: successful	Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.lin@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5262/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5141/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5152/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5150/exe	Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/yH3AxCHT3I (PID: 5224)

Queries kernel information via 'uname':

Jump to behavior

Source: yH3AxCHT3I, 5224.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5228.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5233.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5234.1.000000007dcb2981.0000000062e7062f.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/yH3AxCHT3ISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yH3AxCHT3I
Source: yH3AxCHT3I, 5224.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5228.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5233.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5234.1.0000000014637705.0000000081fedbd8.rw-.sdmp	Binary or memory string: W#V!/etc/qemu-binfmt/arm
Source: yH3AxCHT3I, 5224.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5228.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5233.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5234.1.0000000014637705.0000000081fedbd8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: yH3AxCHT3I, 5224.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5228.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5233.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5234.1.000000007dcb2981.0000000062e7062f.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY

ID:	544729
Product:	CloudBasic
Start time:	01:47:05
Start date:	24.12.2021
Sample:	yH3AxCHT3I
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	9065d02c3a51d27d6a930d838fa9d700
SHA1:	cdd354cd859054955116cc0476884ed3b77b4c93
SHA256:	0054cf56d6a4ef6e38ccaaf189be5f9a2e94781c8234ed52bec896fbc525d511
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5262/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	E106DF5C7ADCDDF2A3C9B1E5C78112A2	53E55A4072F9624175A43F956606B439CBE28772	66A2BED186C11E9F5C0CBF32D971D14325F871E209C6821160871175722A43D0

Linux Analysis Report yH3AxCHT3I

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs