Play interactive tour

Edit tour

Linux Analysis Report yH3AxCHT3I

Overview

General Information

Sample Name:	yH3AxCHT3I
Analysis ID:	544729
MD5:	9065d02c3a51d27d6a930d838fa9d700
SHA1:	cdd354cd859054955116cc0476884ed3b77b4c93
SHA256:	0054cf56d6a4ef6e38ccaaf189be5f9a2e94781c8234ed52bec896fbc525d511
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	544729
Start date:	24.12.2021
Start time:	01:47:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	yH3AxCHT3I
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal84.troj.evad.lin@0/2@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

yH3AxCHT3I (PID: 5224, Parent: 5115, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/yH3AxCHT3I

yH3AxCHT3I New Fork (PID: 5227, Parent: 5224)

yH3AxCHT3I New Fork (PID: 5228, Parent: 5224)

yH3AxCHT3I New Fork (PID: 5229, Parent: 5224)

yH3AxCHT3I New Fork (PID: 5233, Parent: 5229)

yH3AxCHT3I New Fork (PID: 5234, Parent: 5229)

yH3AxCHT3I New Fork (PID: 5237, Parent: 5229)

systemd New Fork (PID: 5261, Parent: 1)

sshd (PID: 5261, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5262, Parent: 1)

sshd (PID: 5262, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
5224.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x103cc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1043c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x104ac:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1051c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1058c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x107fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10850:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1094c:$xo1: oMXKNNC\x0D\x17\x0C\x12
5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xfd84:$x1: POST /cdn-cgi/ 0x1024c:$s1: LCOGQGPTGP
5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xfd84:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x103cc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1043c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x104ac:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1051c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1058c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x107fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10850:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1094c:$xo1: oMXKNNC\x0D\x17\x0C\x12
5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xfd84:$x1: POST /cdn-cgi/ 0x1024c:$s1: LCOGQGPTGP
5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xfd84:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x103cc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1043c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x104ac:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1051c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1058c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x107fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10850:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1094c:$xo1: oMXKNNC\x0D\x17\x0C\x12
5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xfd84:$x1: POST /cdn-cgi/ 0x1024c:$s1: LCOGQGPTGP
5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xfd84:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5234.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
5228.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
5233.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x103cc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1043c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x104ac:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1051c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1058c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x107fc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x10850:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x108f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1094c:$xo1: oMXKNNC\x0D\x17\x0C\x12
5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xfd84:$x1: POST /cdn-cgi/ 0x1024c:$s1: LCOGQGPTGP
5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xfd84:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Click to see the 19 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: yH3AxCHT3I	Virustotal: Detection: 28%			Perma Link
Source: yH3AxCHT3I	ReversingLabs: Detection: 37%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50482
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50492
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50508
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50510
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50512
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50514
Source: Traffic	Snort IDS: 716 INFO TELNET access 66.165.160.102:23 -> 192.168.2.23:50516
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38294
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.225.194.59:23 -> 192.168.2.23:54128
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38298
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38322
Source: Traffic	Snort IDS: 716 INFO TELNET access 70.185.13.104:23 -> 192.168.2.23:38324

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:41864 -> 205.185.117.54:9506

Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::23
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::0
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::80
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::81
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::8443
Source: /tmp/yH3AxCHT3I (PID: 5227)	Socket: 0.0.0.0::9009
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::0
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::22
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::80
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::81
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::8443
Source: /tmp/yH3AxCHT3I (PID: 5233)	Socket: 0.0.0.0::9009
Source: /usr/sbin/sshd (PID: 5262)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.117.54
Source: unknown	TCP traffic detected without corresponding DNS query: 37.197.57.223
Source: unknown	TCP traffic detected without corresponding DNS query: 165.17.108.36
Source: unknown	TCP traffic detected without corresponding DNS query: 146.67.240.76
Source: unknown	TCP traffic detected without corresponding DNS query: 122.95.11.36
Source: unknown	TCP traffic detected without corresponding DNS query: 203.241.48.6
Source: unknown	TCP traffic detected without corresponding DNS query: 186.46.113.223
Source: unknown	TCP traffic detected without corresponding DNS query: 139.146.108.104
Source: unknown	TCP traffic detected without corresponding DNS query: 213.117.204.125
Source: unknown	TCP traffic detected without corresponding DNS query: 92.235.184.66
Source: unknown	TCP traffic detected without corresponding DNS query: 147.220.89.165
Source: unknown	TCP traffic detected without corresponding DNS query: 209.68.4.108
Source: unknown	TCP traffic detected without corresponding DNS query: 105.171.216.251
Source: unknown	TCP traffic detected without corresponding DNS query: 109.82.7.187
Source: unknown	TCP traffic detected without corresponding DNS query: 243.68.151.96
Source: unknown	TCP traffic detected without corresponding DNS query: 82.78.9.239
Source: unknown	TCP traffic detected without corresponding DNS query: 130.189.8.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.66.233.112
Source: unknown	TCP traffic detected without corresponding DNS query: 196.189.195.211
Source: unknown	TCP traffic detected without corresponding DNS query: 176.247.247.146
Source: unknown	TCP traffic detected without corresponding DNS query: 170.241.248.158
Source: unknown	TCP traffic detected without corresponding DNS query: 122.169.217.90
Source: unknown	TCP traffic detected without corresponding DNS query: 102.232.26.181
Source: unknown	TCP traffic detected without corresponding DNS query: 4.136.252.225
Source: unknown	TCP traffic detected without corresponding DNS query: 255.155.254.87
Source: unknown	TCP traffic detected without corresponding DNS query: 122.200.62.168
Source: unknown	TCP traffic detected without corresponding DNS query: 186.39.186.6
Source: unknown	TCP traffic detected without corresponding DNS query: 9.152.71.217
Source: unknown	TCP traffic detected without corresponding DNS query: 182.57.187.147
Source: unknown	TCP traffic detected without corresponding DNS query: 211.157.177.175
Source: unknown	TCP traffic detected without corresponding DNS query: 145.194.88.235
Source: unknown	TCP traffic detected without corresponding DNS query: 242.107.16.195
Source: unknown	TCP traffic detected without corresponding DNS query: 118.119.254.194
Source: unknown	TCP traffic detected without corresponding DNS query: 212.20.146.7
Source: unknown	TCP traffic detected without corresponding DNS query: 98.52.19.251
Source: unknown	TCP traffic detected without corresponding DNS query: 74.201.21.110
Source: unknown	TCP traffic detected without corresponding DNS query: 251.2.30.159
Source: unknown	TCP traffic detected without corresponding DNS query: 104.178.87.45
Source: unknown	TCP traffic detected without corresponding DNS query: 103.106.31.112
Source: unknown	TCP traffic detected without corresponding DNS query: 14.165.174.33
Source: unknown	TCP traffic detected without corresponding DNS query: 166.173.235.36
Source: unknown	TCP traffic detected without corresponding DNS query: 207.99.53.171
Source: unknown	TCP traffic detected without corresponding DNS query: 190.249.136.26
Source: unknown	TCP traffic detected without corresponding DNS query: 4.153.48.106
Source: unknown	TCP traffic detected without corresponding DNS query: 86.218.200.23
Source: unknown	TCP traffic detected without corresponding DNS query: 35.33.254.199
Source: unknown	TCP traffic detected without corresponding DNS query: 156.198.90.232
Source: unknown	TCP traffic detected without corresponding DNS query: 117.5.249.162
Source: unknown	TCP traffic detected without corresponding DNS query: 253.151.113.223
Source: unknown	TCP traffic detected without corresponding DNS query: 179.62.107.173

Source: yH3AxCHT3I

String found in binary or memory: http://upx.sf.net

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: LOAD without section mappings

Program segment: 0x8000

Source: 5224.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5234.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5228.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5233.1.0000000007c53d73.000000006a7c51ae.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: /tmp/yH3AxCHT3I (PID: 5227)	SIGKILL sent: pid: 5233, result: successful
Source: /tmp/yH3AxCHT3I (PID: 5227)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/yH3AxCHT3I (PID: 5233)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal84.troj.evad.lin@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/491/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/793/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/772/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/796/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/774/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/797/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/777/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/799/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/658/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/912/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/759/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/936/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/918/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/1/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/761/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/785/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/884/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/720/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/721/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/788/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/789/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/800/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/801/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/847/fd
Source: /tmp/yH3AxCHT3I (PID: 5233)	File opened: /proc/904/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5262/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5262/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5141/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2033/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1582/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2275/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3088/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5260/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1612/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1579/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1699/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1335/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1698/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2028/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1334/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1576/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2302/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/3236/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2025/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2146/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5258/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/910/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5259/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/912/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/759/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/517/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2307/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/918/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5152/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5036/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/1594/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2285/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/fd
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/2281/exe
Source: /tmp/yH3AxCHT3I (PID: 5227)	File opened: /proc/5150/exe

Source: /tmp/yH3AxCHT3I (PID: 5224)

Queries kernel information via 'uname':

Source: yH3AxCHT3I, 5224.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5228.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5233.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5234.1.000000007dcb2981.0000000062e7062f.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/yH3AxCHT3ISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yH3AxCHT3I
Source: yH3AxCHT3I, 5224.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5228.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5233.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5234.1.0000000014637705.0000000081fedbd8.rw-.sdmp	Binary or memory string: W#V!/etc/qemu-binfmt/arm
Source: yH3AxCHT3I, 5224.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5228.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5233.1.0000000014637705.0000000081fedbd8.rw-.sdmp, yH3AxCHT3I, 5234.1.0000000014637705.0000000081fedbd8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: yH3AxCHT3I, 5224.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5228.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5233.1.000000007dcb2981.0000000062e7062f.rw-.sdmp, yH3AxCHT3I, 5234.1.000000007dcb2981.0000000062e7062f.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match	File source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match	File source: 5233.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5234.1.00000000f26ed677.000000008ccd47ee.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Obfuscated Files or Information1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yH3AxCHT3I	28%	Virustotal		Browse
yH3AxCHT3I	37%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	yH3AxCHT3I	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
81.141.55.38	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	false
163.53.56.189	unknown	China	56005	FASTIDCZhengzhouFastidcTechnologyCoLtdCN	false
184.27.0.99	unknown	United States	16625	AKAMAI-ASUS	false
41.140.93.155	unknown	Morocco	36903	MT-MPLSMA	false
60.3.49.65	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
41.211.25.148	unknown	Ghana	35091	TELEDATA-ASTeledataGhanaIL	false
37.14.40.204	unknown	Spain	12479	UNI2-ASES	false
248.18.198.212	unknown	Reserved	unknown	unknown	false
77.70.221.252	unknown	Norway	5377	MARLINK-EMEANO	false
109.59.137.164	unknown	Sweden	44034	HI3GSE	false
125.142.230.126	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
13.145.202.198	unknown	United States	7018	ATT-INTERNET4US	false
170.192.212.123	unknown	United States	11685	HNBCOL-ASUS	false
166.29.182.20	unknown	United States	206	CSC-IGN-AMERUS	false
66.224.112.73	unknown	United States	7385	ALLSTREAMUS	false
9.40.103.0	unknown	United States	3356	LEVEL3US	false
106.72.195.169	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
44.40.175.57	unknown	United States	20473	AS-CHOOPAUS	false
123.87.18.133	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
40.197.171.2	unknown	United States	4249	LILLY-ASUS	false
114.5.205.188	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
211.163.111.102	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
45.75.160.232	unknown	United Kingdom	49425	DIGITAL-REALTY-UKGB	false
200.199.40.172	unknown	Brazil	7738	TelemarNorteLesteSABR	false
58.237.168.215	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
123.108.189.204	unknown	Korea Republic of	10175	HCNKUMHO-AS-KRKumhoCableKR	false
155.250.111.153	unknown	Germany	13167	MERCK-KGAADarmstadtGermanyDE	false
34.109.90.207	unknown	United States	15169	GOOGLEUS	false
178.81.128.60	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
209.122.96.77	unknown	United States	6079	RCN-ASUS	false
5.24.137.60	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
63.148.160.65	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
249.223.115.142	unknown	Reserved	unknown	unknown	false
68.201.64.64	unknown	United States	11427	TWC-11427-TEXASUS	false
58.199.186.139	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
200.152.150.49	unknown	Brazil	28590	DirectnetPrestacaodeServicosLtdaBR	false
207.144.199.204	unknown	United States	22646	HARCOM1US	false
118.170.22.249	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
115.52.204.84	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
79.141.10.235	unknown	France	25540	ALPHALINK-ASFR	false
114.60.198.77	unknown	China	9812	CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN	false
177.145.138.208	unknown	Brazil	26599	TELEFONICABRASILSABR	false
32.185.230.113	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
113.55.196.3	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
18.140.158.93	unknown	United States	16509	AMAZON-02US	false
68.42.99.162	unknown	United States	7922	COMCAST-7922US	false
189.174.41.83	unknown	Mexico	8151	UninetSAdeCVMX	false
9.11.181.108	unknown	United States	3356	LEVEL3US	false
220.221.242.63	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
79.57.118.183	unknown	Italy	3269	ASN-IBSNAZIT	false
72.52.137.100	unknown	United States	32244	LIQUIDWEBUS	false
100.248.229.26	unknown	United States	21928	T-MOBILE-AS21928US	false
31.102.195.59	unknown	United Kingdom	12576	EELtdGB	false
173.223.114.161	unknown	United States	16625	AKAMAI-ASUS	false
35.122.244.156	unknown	United States	237	MERIT-AS-14US	false
193.13.86.3	unknown	Sweden	1257	TELE2EU	false
177.165.238.214	unknown	Brazil	26615	TIMSABR	false
101.162.4.142	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
121.188.110.123	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
75.75.74.187	unknown	United States	7922	COMCAST-7922US	false
5.130.84.210	unknown	Russian Federation	31200	NTKIPv6customersRU	false
255.210.145.196	unknown	Reserved	unknown	unknown	false
184.101.8.131	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
37.79.117.209	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
68.109.108.216	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
75.127.194.9	unknown	United States	6128	CABLE-NET-1US	false
99.34.80.250	unknown	United States	7018	ATT-INTERNET4US	false
200.122.108.186	unknown	Argentina	10481	TelecomArgentinaSAAR	false
165.243.24.41	unknown	Korea Republic of	4668	LGNET-AS-KRLGCNSKR	false
105.168.77.108	unknown	Angola	37119	unitel-ASAO	false
171.248.31.10	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
94.239.156.8	unknown	France	5410	BOUYGTEL-ISPFR	false
92.186.173.40	unknown	France	12479	UNI2-ASES	false
242.94.217.63	unknown	Reserved	unknown	unknown	false
83.7.185.173	unknown	Poland	5617	TPNETPL	false
20.161.36.36	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
88.53.30.66	unknown	Italy	3269	ASN-IBSNAZIT	false
105.154.88.139	unknown	Morocco	36903	MT-MPLSMA	false
189.76.171.77	unknown	Brazil	28358	INTERTELCOTELECOMUNICACOESMULTIMIDIALTDABR	false
100.128.95.133	unknown	United States	21928	T-MOBILE-AS21928US	false
218.239.129.52	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
83.211.190.35	unknown	Italy	15589	ASN-CLOUDITALIAIT	false
38.237.254.194	unknown	United States	174	COGENT-174US	false
66.251.214.57	unknown	United States	18624	CITYOFWILSONNCUS	false
39.198.18.103	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
197.109.134.51	unknown	South Africa	37168	CELL-CZA	false
117.63.65.234	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
82.1.18.205	unknown	United Kingdom	5089	NTLGB	false
173.79.81.100	unknown	United States	701	UUNETUS	false
201.180.141.26	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
156.94.210.118	unknown	United States	10695	WAL-MARTUS	false
94.82.238.146	unknown	Italy	3269	ASN-IBSNAZIT	false
17.139.38.27	unknown	United States	714	APPLE-ENGINEERINGUS	false
141.237.226.38	unknown	Greece	3329	HOL-GRAthensGreeceGR	false
154.47.211.221	unknown	United States	174	COGENT-174US	false
159.245.168.149	unknown	European Union	29899	GEISINGERUS	false
101.211.73.148	unknown	India	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
40.94.195.122	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
113.157.0.65	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
188.151.72.64	unknown	Norway	39651	COMHEM-SWEDENSE	false

Runtime Messages

Command:	/tmp/yH3AxCHT3I
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest'/proc/'/exe
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5262/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:CL:CL
MD5:	E106DF5C7ADCDDF2A3C9B1E5C78112A2
SHA1:	53E55A4072F9624175A43F956606B439CBE28772
SHA-256:	66A2BED186C11E9F5C0CBF32D971D14325F871E209C6821160871175722A43D0
SHA-512:	B9EA0BC991203AD49366990596FDF035447600B1155BAD741F7C797C20C0D4E30D06F0E06AE59C4B01FD115F9E5E6B345A155BE01112D384FCF72D7B153F2EAF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	5262.

Static File Info

General
File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	7.9512483718866385
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	yH3AxCHT3I
File size:	29944
MD5:	9065d02c3a51d27d6a930d838fa9d700
SHA1:	cdd354cd859054955116cc0476884ed3b77b4c93
SHA256:	0054cf56d6a4ef6e38ccaaf189be5f9a2e94781c8234ed52bec896fbc525d511
SHA512:	bd03ea2796cef23906b5675454344b78cfc297cc10cc4648ae65391e72ff5d2766e3c480056aea1be81328d416f27295a14bc0e9eb2ca9a72055381a73778f8a
SSDEEP:	384:++pBNm5t8706u9jtiyM0hYQEmIyzc/bgDB290RUWFZd/f25K2j0U+7+ThymdGUoo:BA4uBc0THcq21qZdhfU+7Is3UozE
File Content Preview:	.ELF...a..........(.....X...4...........4. ...(......................t...t..............L...L...L...................Q.td............................s.y.UPX!........D...D.......R..........?.E.h;.}...^..........f*..J.%.",.....n7..Io.Z....'.....5.1...#....n.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0xe258
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x7407	0x7407	3.9980	0x5	R E	0x8000
LOAD	0x164c	0x2164c	0x2164c	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2021 01:47:49.047724009 CET	41864	9506	192.168.2.23	205.185.117.54
Dec 24, 2021 01:47:49.054020882 CET	56053	23	192.168.2.23	37.197.57.223
Dec 24, 2021 01:47:49.054230928 CET	56053	23	192.168.2.23	165.17.108.36
Dec 24, 2021 01:47:49.054235935 CET	56053	23	192.168.2.23	146.67.240.76
Dec 24, 2021 01:47:49.054234028 CET	56053	23	192.168.2.23	122.95.11.36
Dec 24, 2021 01:47:49.054236889 CET	56053	23	192.168.2.23	203.241.48.6
Dec 24, 2021 01:47:49.054245949 CET	56053	23	192.168.2.23	186.46.113.223
Dec 24, 2021 01:47:49.054253101 CET	56053	23	192.168.2.23	139.146.108.104
Dec 24, 2021 01:47:49.054255962 CET	56053	23	192.168.2.23	213.117.204.125
Dec 24, 2021 01:47:49.054261923 CET	56053	23	192.168.2.23	92.235.184.66
Dec 24, 2021 01:47:49.054267883 CET	56053	23	192.168.2.23	147.220.89.165
Dec 24, 2021 01:47:49.054270983 CET	56053	23	192.168.2.23	209.68.4.108
Dec 24, 2021 01:47:49.054279089 CET	56053	23	192.168.2.23	241.2.210.228
Dec 24, 2021 01:47:49.054280996 CET	56053	23	192.168.2.23	105.171.216.251
Dec 24, 2021 01:47:49.054286003 CET	56053	23	192.168.2.23	109.82.7.187
Dec 24, 2021 01:47:49.054286957 CET	56053	23	192.168.2.23	243.68.151.96
Dec 24, 2021 01:47:49.054289103 CET	56053	23	192.168.2.23	82.78.9.239
Dec 24, 2021 01:47:49.054295063 CET	56053	23	192.168.2.23	210.8.186.89
Dec 24, 2021 01:47:49.054301977 CET	56053	23	192.168.2.23	130.189.8.110
Dec 24, 2021 01:47:49.054306984 CET	56053	23	192.168.2.23	217.66.233.112
Dec 24, 2021 01:47:49.054306984 CET	56053	23	192.168.2.23	196.189.195.211
Dec 24, 2021 01:47:49.054310083 CET	56053	23	192.168.2.23	176.247.247.146
Dec 24, 2021 01:47:49.054321051 CET	56053	23	192.168.2.23	170.241.248.158
Dec 24, 2021 01:47:49.054322004 CET	56053	23	192.168.2.23	122.169.217.90
Dec 24, 2021 01:47:49.054328918 CET	56053	23	192.168.2.23	102.232.26.181
Dec 24, 2021 01:47:49.054332018 CET	56053	23	192.168.2.23	4.136.252.225
Dec 24, 2021 01:47:49.054333925 CET	56053	23	192.168.2.23	255.155.254.87
Dec 24, 2021 01:47:49.054338932 CET	56053	23	192.168.2.23	122.200.62.168
Dec 24, 2021 01:47:49.054338932 CET	56053	23	192.168.2.23	186.39.186.6
Dec 24, 2021 01:47:49.054342985 CET	56053	23	192.168.2.23	9.152.71.217
Dec 24, 2021 01:47:49.054352045 CET	56053	23	192.168.2.23	182.57.187.147
Dec 24, 2021 01:47:49.054356098 CET	56053	23	192.168.2.23	211.157.177.175
Dec 24, 2021 01:47:49.054358959 CET	56053	23	192.168.2.23	145.194.88.235
Dec 24, 2021 01:47:49.054363012 CET	56053	23	192.168.2.23	242.107.16.195
Dec 24, 2021 01:47:49.054363966 CET	56053	23	192.168.2.23	118.119.254.194
Dec 24, 2021 01:47:49.054364920 CET	56053	23	192.168.2.23	212.20.146.7
Dec 24, 2021 01:47:49.054367065 CET	56053	23	192.168.2.23	98.52.19.251
Dec 24, 2021 01:47:49.054369926 CET	56053	23	192.168.2.23	74.201.21.110
Dec 24, 2021 01:47:49.054373980 CET	56053	23	192.168.2.23	251.2.30.159
Dec 24, 2021 01:47:49.054377079 CET	56053	23	192.168.2.23	104.178.87.45
Dec 24, 2021 01:47:49.054377079 CET	56053	23	192.168.2.23	103.106.31.112
Dec 24, 2021 01:47:49.054378033 CET	56053	23	192.168.2.23	14.165.174.33
Dec 24, 2021 01:47:49.054385900 CET	56053	23	192.168.2.23	166.173.235.36
Dec 24, 2021 01:47:49.054389954 CET	56053	23	192.168.2.23	207.99.53.171
Dec 24, 2021 01:47:49.054392099 CET	56053	23	192.168.2.23	190.249.136.26
Dec 24, 2021 01:47:49.054392099 CET	56053	23	192.168.2.23	4.153.48.106
Dec 24, 2021 01:47:49.054394007 CET	56053	23	192.168.2.23	86.218.200.23
Dec 24, 2021 01:47:49.054397106 CET	56053	23	192.168.2.23	35.33.254.199
Dec 24, 2021 01:47:49.054397106 CET	56053	23	192.168.2.23	156.198.90.232
Dec 24, 2021 01:47:49.054403067 CET	56053	23	192.168.2.23	117.5.249.162
Dec 24, 2021 01:47:49.054416895 CET	56053	23	192.168.2.23	253.151.113.223
Dec 24, 2021 01:47:49.054419994 CET	56053	23	192.168.2.23	179.62.107.173
Dec 24, 2021 01:47:49.054425001 CET	56053	23	192.168.2.23	87.196.245.139
Dec 24, 2021 01:47:49.054428101 CET	56053	23	192.168.2.23	9.152.171.99
Dec 24, 2021 01:47:49.054435015 CET	56053	23	192.168.2.23	117.163.18.242
Dec 24, 2021 01:47:49.054435968 CET	56053	23	192.168.2.23	57.68.36.150
Dec 24, 2021 01:47:49.054440022 CET	56053	23	192.168.2.23	117.114.112.10
Dec 24, 2021 01:47:49.054445982 CET	56053	23	192.168.2.23	241.43.201.104
Dec 24, 2021 01:47:49.054445982 CET	56053	23	192.168.2.23	103.137.125.42
Dec 24, 2021 01:47:49.054446936 CET	56053	23	192.168.2.23	202.191.78.163
Dec 24, 2021 01:47:49.054449081 CET	56053	23	192.168.2.23	60.24.239.130
Dec 24, 2021 01:47:49.054450035 CET	56053	23	192.168.2.23	45.172.132.132
Dec 24, 2021 01:47:49.054455996 CET	56053	23	192.168.2.23	187.32.121.155
Dec 24, 2021 01:47:49.054461956 CET	56053	23	192.168.2.23	44.14.50.83
Dec 24, 2021 01:47:49.054462910 CET	56053	23	192.168.2.23	40.158.56.206
Dec 24, 2021 01:47:49.054466963 CET	56053	23	192.168.2.23	32.92.239.202
Dec 24, 2021 01:47:49.054469109 CET	56053	23	192.168.2.23	167.239.17.255
Dec 24, 2021 01:47:49.054471016 CET	56053	23	192.168.2.23	157.4.195.3
Dec 24, 2021 01:47:49.054475069 CET	56053	23	192.168.2.23	58.239.145.191
Dec 24, 2021 01:47:49.054482937 CET	56053	23	192.168.2.23	240.106.4.163
Dec 24, 2021 01:47:49.054486990 CET	56053	23	192.168.2.23	16.243.75.76
Dec 24, 2021 01:47:49.054491043 CET	56053	23	192.168.2.23	94.148.108.98
Dec 24, 2021 01:47:49.054497004 CET	56053	23	192.168.2.23	170.42.36.117
Dec 24, 2021 01:47:49.054505110 CET	56053	23	192.168.2.23	221.112.52.216
Dec 24, 2021 01:47:49.054511070 CET	56053	23	192.168.2.23	174.132.191.232
Dec 24, 2021 01:47:49.054513931 CET	56053	23	192.168.2.23	184.61.17.126
Dec 24, 2021 01:47:49.054517031 CET	56053	23	192.168.2.23	108.25.47.151
Dec 24, 2021 01:47:49.054522038 CET	56053	23	192.168.2.23	46.158.19.223
Dec 24, 2021 01:47:49.054527998 CET	56053	23	192.168.2.23	77.102.88.100
Dec 24, 2021 01:47:49.054554939 CET	56053	23	192.168.2.23	207.135.119.15
Dec 24, 2021 01:47:49.054558039 CET	56053	23	192.168.2.23	128.243.148.88
Dec 24, 2021 01:47:49.054583073 CET	56053	23	192.168.2.23	8.178.84.19
Dec 24, 2021 01:47:49.054575920 CET	56053	23	192.168.2.23	241.127.125.136
Dec 24, 2021 01:47:49.054593086 CET	56053	23	192.168.2.23	78.228.5.185
Dec 24, 2021 01:47:49.054598093 CET	56053	23	192.168.2.23	254.159.136.223
Dec 24, 2021 01:47:49.054604053 CET	56053	23	192.168.2.23	241.167.164.222
Dec 24, 2021 01:47:49.054606915 CET	56053	23	192.168.2.23	12.217.105.62
Dec 24, 2021 01:47:49.054620981 CET	56053	23	192.168.2.23	173.216.21.37
Dec 24, 2021 01:47:49.054622889 CET	56053	23	192.168.2.23	61.141.191.158
Dec 24, 2021 01:47:49.054630041 CET	56053	23	192.168.2.23	211.203.66.96
Dec 24, 2021 01:47:49.054636002 CET	56053	23	192.168.2.23	31.180.95.206
Dec 24, 2021 01:47:49.054636002 CET	56053	23	192.168.2.23	244.152.93.54
Dec 24, 2021 01:47:49.054655075 CET	56053	23	192.168.2.23	89.236.73.249
Dec 24, 2021 01:47:49.054677010 CET	56053	23	192.168.2.23	8.102.59.210
Dec 24, 2021 01:47:49.054680109 CET	56053	23	192.168.2.23	71.255.135.220
Dec 24, 2021 01:47:49.054687023 CET	56053	23	192.168.2.23	175.115.110.208
Dec 24, 2021 01:47:49.054692984 CET	56053	23	192.168.2.23	38.160.43.37
Dec 24, 2021 01:47:49.054696083 CET	56053	23	192.168.2.23	242.92.215.18
Dec 24, 2021 01:47:49.054698944 CET	56053	23	192.168.2.23	156.102.59.239
Dec 24, 2021 01:47:49.054702997 CET	56053	23	192.168.2.23	8.123.229.110

System Behavior

Analysis Process: yH3AxCHT3I PID: 5224 Parent PID: 5115

General

Start time:	01:47:47
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	/tmp/yH3AxCHT3I
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: yH3AxCHT3I PID: 5227 Parent PID: 5224

General

Start time:	01:47:48
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: yH3AxCHT3I PID: 5228 Parent PID: 5224

General

Start time:	01:47:48
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: yH3AxCHT3I PID: 5229 Parent PID: 5224

General

Start time:	01:47:48
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: yH3AxCHT3I PID: 5233 Parent PID: 5229

General

Start time:	01:47:48
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: yH3AxCHT3I PID: 5234 Parent PID: 5229

General

Start time:	01:47:48
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: yH3AxCHT3I PID: 5237 Parent PID: 5229

General

Start time:	01:47:48
Start date:	24/12/2021
Path:	/tmp/yH3AxCHT3I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: systemd PID: 5261 Parent PID: 1

General

Start time:	01:47:57
Start date:	24/12/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5261 Parent PID: 1

General

Start time:	01:47:57
Start date:	24/12/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5262 Parent PID: 1

General

Start time:	01:47:57
Start date:	24/12/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5262 Parent PID: 1

General

Start time:	01:47:57
Start date:	24/12/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report yH3AxCHT3I

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: yH3AxCHT3I PID: 5224 Parent PID: 5115

General

Analysis Process: yH3AxCHT3I PID: 5227 Parent PID: 5224

General

Analysis Process: yH3AxCHT3I PID: 5228 Parent PID: 5224

General

Analysis Process: yH3AxCHT3I PID: 5229 Parent PID: 5224

General

Analysis Process: yH3AxCHT3I PID: 5233 Parent PID: 5229

General

Analysis Process: yH3AxCHT3I PID: 5234 Parent PID: 5229

General

Analysis Process: yH3AxCHT3I PID: 5237 Parent PID: 5229

General

Analysis Process: systemd PID: 5261 Parent PID: 1

General

Analysis Process: sshd PID: 5261 Parent PID: 1

General

Analysis Process: systemd PID: 5262 Parent PID: 1

General

Analysis Process: sshd PID: 5262 Parent PID: 1

General