Linux Analysis Report
yvweY4vsVq.elf

Overview

General Information

Sample Name:	yvweY4vsVq.elf
Original Sample Name:	7592df37fb3fea64a0994ac342f319f4.elf
Analysis ID:	877738
MD5:	7592df37fb3fea64a0994ac342f319f4
SHA1:	bd612669bbc816883907689411667f34b471259f
SHA256:	4e97dfb181ef3db9a59094b5f468255ee7dc5d5e52543730d8394270a434b162
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill multiple processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Deletes log files

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: yvweY4vsVq.elf	ReversingLabs: Detection: 54%
Source: yvweY4vsVq.elf	Virustotal: Detection: 50%			Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40752
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40756
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40758
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40774
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40778

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:48592 -> 107.189.3.153:1312

Sample listens on a socket

Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::37215	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.3.153
Source: unknown	TCP traffic detected without corresponding DNS query: 76.0.183.154
Source: unknown	TCP traffic detected without corresponding DNS query: 218.45.121.154
Source: unknown	TCP traffic detected without corresponding DNS query: 126.137.100.236
Source: unknown	TCP traffic detected without corresponding DNS query: 183.86.244.155
Source: unknown	TCP traffic detected without corresponding DNS query: 120.95.49.115
Source: unknown	TCP traffic detected without corresponding DNS query: 201.206.91.129
Source: unknown	TCP traffic detected without corresponding DNS query: 136.240.152.7
Source: unknown	TCP traffic detected without corresponding DNS query: 79.160.239.125
Source: unknown	TCP traffic detected without corresponding DNS query: 246.183.54.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.125.81
Source: unknown	TCP traffic detected without corresponding DNS query: 93.6.77.59
Source: unknown	TCP traffic detected without corresponding DNS query: 75.192.32.102
Source: unknown	TCP traffic detected without corresponding DNS query: 87.220.234.113
Source: unknown	TCP traffic detected without corresponding DNS query: 174.229.190.231
Source: unknown	TCP traffic detected without corresponding DNS query: 153.190.168.241
Source: unknown	TCP traffic detected without corresponding DNS query: 216.202.192.22
Source: unknown	TCP traffic detected without corresponding DNS query: 23.233.187.152
Source: unknown	TCP traffic detected without corresponding DNS query: 97.77.143.147
Source: unknown	TCP traffic detected without corresponding DNS query: 155.226.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 90.225.231.43
Source: unknown	TCP traffic detected without corresponding DNS query: 104.13.239.230
Source: unknown	TCP traffic detected without corresponding DNS query: 167.152.63.108
Source: unknown	TCP traffic detected without corresponding DNS query: 247.136.170.47
Source: unknown	TCP traffic detected without corresponding DNS query: 166.11.184.189
Source: unknown	TCP traffic detected without corresponding DNS query: 149.168.18.245
Source: unknown	TCP traffic detected without corresponding DNS query: 93.214.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 151.171.214.178
Source: unknown	TCP traffic detected without corresponding DNS query: 16.229.95.68
Source: unknown	TCP traffic detected without corresponding DNS query: 252.75.153.96
Source: unknown	TCP traffic detected without corresponding DNS query: 18.99.237.72
Source: unknown	TCP traffic detected without corresponding DNS query: 67.42.182.45
Source: unknown	TCP traffic detected without corresponding DNS query: 190.36.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 195.175.152.36
Source: unknown	TCP traffic detected without corresponding DNS query: 211.116.191.67
Source: unknown	TCP traffic detected without corresponding DNS query: 35.27.252.236
Source: unknown	TCP traffic detected without corresponding DNS query: 192.228.72.55
Source: unknown	TCP traffic detected without corresponding DNS query: 125.152.129.219
Source: unknown	TCP traffic detected without corresponding DNS query: 85.64.190.7
Source: unknown	TCP traffic detected without corresponding DNS query: 83.240.163.128
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.83.183
Source: unknown	TCP traffic detected without corresponding DNS query: 216.105.159.246
Source: unknown	TCP traffic detected without corresponding DNS query: 139.7.13.2
Source: unknown	TCP traffic detected without corresponding DNS query: 108.125.130.242
Source: unknown	TCP traffic detected without corresponding DNS query: 120.26.142.118
Source: unknown	TCP traffic detected without corresponding DNS query: 96.106.78.8
Source: unknown	TCP traffic detected without corresponding DNS query: 207.53.121.27
Source: unknown	TCP traffic detected without corresponding DNS query: 167.147.171.44
Source: unknown	TCP traffic detected without corresponding DNS query: 149.95.216.142

Source: yvweY4vsVq.elf

String found in binary or memory: http://upx.sf.net

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/yvweY4vsVq.elf (PID: 6293)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/yvweY4vsVq.elf (PID: 6293)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Source: classification engine

Classification label: mal68.spre.troj.evad.linELF@0/49@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Enumerates processes within the "proc" file system

Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/6191/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/6192/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1860/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2156/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2156/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1629/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1629/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1627/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1627/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1900/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2294/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2050/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1877/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1633/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1633/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1599/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1632/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1632/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1477/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1477/exe	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/sbin/logrotate (PID: 6241)	Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "			Jump to behavior
Source: /usr/sbin/logrotate (PID: 6252)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog			Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /usr/sbin/invoke-rc.d (PID: 6245)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service	Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 6250)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service	Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 6254)	Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40752
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40756
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40758
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40774
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40778

ELF contains segments with high entropy indicating compressed/encrypted content

Source: yvweY4vsVq.elf

Submission file: segment LOAD with 7.9335 entropy (max. 8.0)

Deletes log files

Source: /usr/sbin/logrotate (PID: 6198)	Truncated file: /var/log/cups/access_log.1			Jump to behavior
Source: /usr/sbin/logrotate (PID: 6198)	Truncated file: /var/log/syslog.1			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/yvweY4vsVq.elf (PID: 6291)

Queries kernel information via 'uname':

Jump to behavior

Source: yvweY4vsVq.elf, 6291.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp	Binary or memory string: Dx86_64/usr/bin/qemu-arm/tmp/yvweY4vsVq.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yvweY4vsVq.elf
Source: yvweY4vsVq.elf, 6291.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: yvweY4vsVq.elf, 6291.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: yvweY4vsVq.elf, 6291.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.72.178.153	unknown	United Arab Emirates	15802	DU-AS1AE	false
19.194.56.75	unknown	United States	3	MIT-GATEWAYSUS	false
176.81.232.119	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
75.131.165.178	unknown	United States	20115	CHARTER-20115US	false
66.44.1.18	unknown	United States	6079	RCN-ASUS	false
216.151.48.52	unknown	United States	31869	LL-BEANUS	false
119.70.232.53	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
186.223.112.108	unknown	Brazil	28573	CLAROSABR	false
1.119.108.59	unknown	China	23724	CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation	false
245.31.144.9	unknown	Reserved	unknown	unknown	false
144.24.166.220	unknown	Greece	58541	CHINATELECOM-SHANDONG-QINGDAO-IDCQingdao266000CN	false
118.17.139.140	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
71.82.115.201	unknown	United States	20115	CHARTER-20115US	false
152.38.145.32	unknown	United States	81	NCRENUS	false
161.212.230.79	unknown	Venezuela	6306	TELEFONICAVENEZOLANACAVE	false
146.74.158.132	unknown	United States	30051	SCCGOVUS	false
94.40.89.117	unknown	Poland	20960	TKTELEKOM-ASPL	false
95.23.180.230	unknown	Spain	12479	UNI2-ASES	false
195.249.12.67	unknown	Denmark	3292	TDCTDCASDK	false
198.207.62.225	unknown	United States	17007	OATK-AS1US	false
196.167.93.110	unknown	South Africa	328065	Vast-Networks-ASZA	false
120.64.203.192	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
241.71.207.167	unknown	Reserved	unknown	unknown	false
136.25.206.10	unknown	United States	19165	WEBPASSUS	false
204.214.223.26	unknown	United States	1239	SPRINTLINKUS	false
161.165.43.90	unknown	United States	10695	WAL-MARTUS	false
74.199.29.180	unknown	United States	12083	WOW-INTERNETUS	false
195.205.241.144	unknown	Poland	5617	TPNETPL	false
38.229.203.53	unknown	United States	23028	TEAM-CYMRUUS	false
23.121.55.94	unknown	United States	7018	ATT-INTERNET4US	false
27.231.45.76	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
205.198.24.195	unknown	United States	133847	ICT-AS-APAnppleTechEnterpriseMY	false
171.190.191.247	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
117.79.59.230	unknown	China	55990	HWCSNETHuaweiCloudServicedatacenterCN	false
48.162.218.62	unknown	United States	2686	ATGS-MMD-ASUS	false
191.45.88.178	unknown	Brazil	7738	TelemarNorteLesteSABR	false
116.62.52.238	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
181.55.62.16	unknown	Colombia	10620	TelmexColombiaSACO	false
60.204.107.202	unknown	China	9595	XEPHIONNTT-MECorporationJP	false
105.217.216.229	unknown	South Africa	16637	MTNNS-ASZA	false
78.216.161.1	unknown	France	12322	PROXADFR	false
94.104.57.239	unknown	Belgium	47377	ORANGE_BELGIUM_SAKPNBelgiumBusinessNVhasbeenacquired	false
251.32.191.44	unknown	Reserved	unknown	unknown	false
155.14.152.106	unknown	United States	40155	APLLIUS	false
113.230.156.33	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
169.203.96.4	unknown	United States	22920	BIAEDNET-INTERNETUS	false
103.224.219.136	unknown	India	135226	JEECOM-ASJeecommunicationsIN	false
110.162.48.72	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
190.139.248.21	unknown	Argentina	7303	TelecomArgentinaSAAR	false
23.234.164.53	unknown	United States	54905	DIGITAL-LANDSCAPEUS	false
243.11.93.252	unknown	Reserved	unknown	unknown	false
156.190.95.246	unknown	Egypt	36992	ETISALAT-MISREG	false
86.143.83.13	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
148.72.226.86	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
105.37.93.217	unknown	Egypt	37069	MOBINILEG	false
13.40.198.228	unknown	United States	7018	ATT-INTERNET4US	false
37.250.156.26	unknown	Sweden	44034	HI3GSE	false
19.175.149.177	unknown	United States	3	MIT-GATEWAYSUS	false
144.95.227.31	unknown	Netherlands	32023	ANADARKOUS	false
121.243.246.201	unknown	India	17908	TCISLTataCommunicationsIN	false
57.98.26.31	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
245.51.97.122	unknown	Reserved	unknown	unknown	false
145.221.28.61	unknown	Netherlands	15625	ING-ASAmsterdamNL	false
190.150.134.219	unknown	El Salvador	27773	MILLICOMCABLEELSALVADORSADECVSV	false
84.155.227.30	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
194.142.114.69	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
104.157.219.169	unknown	Canada	36493	295CA-TOR-ASNCA	false
53.18.189.84	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
82.147.226.38	unknown	Denmark	15516	DK-DANSKKABELTVDK	false
207.123.162.138	unknown	United States	3356	LEVEL3US	false
194.47.5.189	unknown	Sweden	1653	SUNETSUNETSwedishUniversityNetworkEU	false
255.65.102.126	unknown	Reserved	unknown	unknown	false
195.76.65.49	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
207.136.225.200	unknown	United States	5738	SOVER-ASNUS	false
93.85.251.206	unknown	Belarus	6697	BELPAK-ASBELPAKBY	false
164.150.30.65	unknown	South Africa	37130	SITA-ASZA	false
152.36.229.246	unknown	United States	31715	ABTME-ASUS	false
63.195.7.190	unknown	United States	7018	ATT-INTERNET4US	false
170.115.152.134	unknown	United States	11205	CITY-OF-PHILADELPHIAUS	false
2.73.95.133	unknown	Kazakhstan	29355	KCELL-ASKZ	false
248.133.109.69	unknown	Reserved	unknown	unknown	false
197.53.207.221	unknown	Egypt	8452	TE-ASTE-ASEG	false
216.95.76.109	unknown	United States	701	UUNETUS	false
91.41.111.144	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
139.174.47.177	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
110.156.82.185	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
95.120.112.167	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
57.124.200.251	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
217.85.150.41	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
246.109.142.99	unknown	Reserved	unknown	unknown	false
163.130.240.50	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
125.108.202.31	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
111.69.66.133	unknown	New Zealand	23655	SNAP-NZ-ASSnapInternetLimitedNZ	false
78.216.67.239	unknown	France	12322	PROXADFR	false
246.211.208.229	unknown	Reserved	unknown	unknown	false
12.253.252.114	unknown	United States	8030	WORLDNET5-10US	false
188.81.116.228	unknown	Portugal	3243	MEO-RESIDENCIALPT	false
116.189.252.212	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
71.246.41.123	unknown	United States	5650	FRONTIER-FRTRUS	false
74.80.40.146	unknown	United States	25921	LUS-FIBER-LCGUS	false

Name	Type	MD5	SHA1	SHA256
/var/cache/man/cs/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	D0CA2EBA9E7A17D4680AA9DDC5F88946	270F443EFF85209052AE8FFA86660AFB0FAAD39B	9504DC65F8B4E057D0939FA3B2C640FC703D0290EE19381836BAA5EB3EFBADBD
/var/cache/man/cs/index.db.rLDrkz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/da/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	4DF08004EE4C5384C02376841F2B50BC	C02E58212CA012913390B4C1CCD64DD3353009EE	F4D6A62A734E2844B99F3AD0EB480373AFBE56B29C0CFC9C70D9DFDF19D95C02
/var/cache/man/da/index.db.Wu1kvv	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/de/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	D12A7C09F569FFDD26D39A344485BD78	5394670B70BBACCC89CF3444561D26387D1BD2B7	357468D824DE84AFC6FA790661FEEEFE44EF473209C0D6480E9E9C061931C041
/var/cache/man/de/index.db.jdb2Cv	GNU dbm 1.x or ndbm database, little endian, 64-bit	55880A8B73FD160B73198E09A21C83DB	5EB780702D2501747AF46F7525EF5C635EC5E64C	66BD4C98AF40E2E208AC102ACD0F555A6C118E7258D91B833BE1D53EBFFB7BBB
/var/cache/man/es/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	3DBF4FF017D406F407BFBC2011BCAE9E	FF64864ACA18DFA7869715CE8AA5ECC3DABA54B6	640C040F364061A5825E913682798C9BC8E1081088894D3FEB2C3EC39D02A379
/var/cache/man/es/index.db.sQb6Uw	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/fi/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	09F6ED1A60B8A4203EA97CF5926C6AFF	C28F4E393D55AD057E3C7608741904B796F67076	56664D61D0BB8BF34CCA28C73CB314CB73EA1C4FAC64D2208B43F63C009FC855
/var/cache/man/fi/index.db.apftZv	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr.ISO8859-1/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	43ADE2E40B8B5A0DFA0A155FC9A02F7F	3D04BDFFD0E2A8433150C87D334014099336A5C5	81E48EE4653A5E6F25C33133F24F045EB1EB2CC6724ECE0C5336612AB711273E
/var/cache/man/fr.ISO8859-1/index.db.CCD6Ox	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr.UTF-8/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	43ADE2E40B8B5A0DFA0A155FC9A02F7F	3D04BDFFD0E2A8433150C87D334014099336A5C5	81E48EE4653A5E6F25C33133F24F045EB1EB2CC6724ECE0C5336612AB711273E
/var/cache/man/fr.UTF-8/index.db.ccta5y	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	49CE47363E2A1014F55BAA8A3C8BED80	B7FC8B0B8BD4F8D45B029E12D79FE66583DAD9A4	35055D7EC4F22C34FA90DF538FD8B142E152B52036530767CB1AB3C4F0355BF2
/var/cache/man/fr/index.db.KxVL9x	GNU dbm 1.x or ndbm database, little endian, 64-bit	425CB57CD9B42556C8089FE7A7A3E495	4F33F9A9897218FDED958FD8F8D7AF7CD8BC48F3	85E01EFF2AC0C83C827E118D5CE2CD1E1A19E059688B6E0D09CB3CC131F065D3
/var/cache/man/hu/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	18F02B57872A97DE1E82FF5348A5AF1B	52F332343B120B1C950AC02B3C923556C70DC62A	5C605DE68B3E05754698485F73413F4052AEA8C3AAE6012AC6416B3B6B056DF7
/var/cache/man/hu/index.db.CuSdly	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/it/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	B228DE097081AF360D337CF8C8FF2C6F	7DD2C4640925B225F98014566F73C35F4E960940	1056CECADA78542B173EE469C9BEAF61F81298EBBD21B54EA6EE449028E18B3F
/var/cache/man/it/index.db.F21dcx	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/ja/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	D3CD7D67F8155491493BB7235FB9AA57	5A7AE62A7AFE50EFCCED06CBD56AE2A0A284EFF3	6958349ECA637F99AABC419B5E402CFB50BC5B8867F31BCB67F064F47A209929
/var/cache/man/ja/index.db.2C2iJw	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/ko/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	FBA25855E1C99D8F87E8AC13E2E2ECB1	D99351AC40D6CC4C9BE54E0E018C44A9A88983D7	C0E18ED1CEFF427FD4D57D1B79CE1AF7320AC8453BAF8A0349C08267464C4D71
/var/cache/man/ko/index.db.B4yPiz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/nl/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	27FED1CA8EB0101C459D9A617C833293	503B2A3E33FE79FF2CD58F831ED33DB358849BEA	C3033C4F7CF0D6108611EF5A62CA893F98EE6463DDCFF7100D3BAFDEB0036D9E
/var/cache/man/nl/index.db.0onckz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/pl/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	37CEBCD3F5BF6322785FFF568EE33131	201298C827C77C60CD314BF721DC4C27EF95BD64	012C5597C5DD8654EB14432AFCEFD9B131F2CE75AD21488991A5A688929AAEA6
/var/cache/man/pl/index.db.8E68Xx	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/pt/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	782FF89B6FA5932F7019AF9CF3F82E43	2ECE8DC134E3A292E2545AA2DCD24114A5FC5749	01E77D9235C524F2A61EA03953607C13831C391A5B9AB0D9094F9C38F0EEB02E
/var/cache/man/pt/index.db.HAXyNv	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/pt_BR/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	A11F5E85A2A07AF84255570AE29318FB	D06BF25E5FD4A17BCF7C5BD77ACD747F0FE181E8	8FFA8BC408B254217275A622D054853CB72B08409A11AA49C4C664C0DABFB62F
/var/cache/man/pt_BR/index.db.EkCw1w	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/ru/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	DF5C1114538C5D8EA1EE929FFAC24E3C	B6331AF77566B63EA8204BE85F5DC99FAF51479E	F238C75DAD82E10AB011A9BF79775B2A5F5889644A5A06835933340845A08555
/var/cache/man/ru/index.db.7KBHmx	GNU dbm 1.x or ndbm database, little endian, 64-bit	5B66CE03BFE548DEE335E0518E4E0554	65397845DC679AA972454B0FF237A513C0F490CB	C38BB21B1D92166794DC09807C9A55B67B0A760C684FEEDD0C931F8415DD6D29
/var/cache/man/sl/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	67697BEA7C23E4805A82FE9755BB3CAE	14ACAFF0BECBDB116E4C0BC329E59DEF68CF46D1	553DA7FF76999B7CCC4450498B11E6BD98B3B1E5FF81D82A53568F84B0D270D5
/var/cache/man/sl/index.db.WQMMfz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/sr/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	0DD75ECC81E4E564EA56A57FF32A24D3	859C0FE5F86A2C5A32BAD7920787BE845F34C4FB	DB778B175D19DEFA4180D0B12D675AD0B8B22CC4BB77702D9EC8510F894EB3B1
/var/cache/man/sr/index.db.ssllBx	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/sv/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	D97454D6B1F39F39966A809BCA3D9647	276931CED8F34B7651C1BDFC8522FF0560E2C377	DCB8CE7F4F21595D851100F315C56B717541DB898AEB9ED9C0CCC9FF217A5801
/var/cache/man/sv/index.db.JL2zSv	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/tr/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	5F905B930E7310E72BC3DF5C50F8E579	50B1AD3115F095C743CB26F87ECCE406FAC3523B	1DB72BA77CA01F25CA9768999825D8F97F5ED4D00E17C9130D6F7CDE34130270
/var/cache/man/tr/index.db.dHLmPw	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/zh_CN/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	39398A15564A55EB7BFE895D7668A5A3	28DA677435B87176E08AFABBF8B51F7B93E22948	A4C0216476E357ED3A23E71333DBE7DE91E04370EF049032EE8E47BB1EDBD83B
/var/cache/man/zh_CN/index.db.Z4jDnz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/zh_TW/6207	GNU dbm 1.x or ndbm database, little endian, 64-bit	1FC5F2B98E5BC25B10373353D91B86B1	D848DA35B0731328195D59C1E996B95C4952F1F9	509FAD18B4454CD70D974755F6156D4A5FA9B960AB9FF468D1FC350F0B64F379
/var/cache/man/zh_TW/index.db.5ouSHz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/lib/logrotate/status.tmp	ASCII text	3CAFAE58EA492F80B42AE5679E2E25B0	D5CCEEF30785B870ABDEC5CFB8BB62BA43DD35C8	2F3C290E7E6F82D47DE76642B014E62A6BDB7992844D4488FCCF4E5E611E94BE
/var/log/cups/access_log.1.gz	gzip compressed data, last modified: Mon May 29 22:52:42 2023, from Unix, original size modulo 2^32 554	8A4A653365ACA8E6D01CEC430420E069	3EEE52AF78AF0D903BA08872D28F15BB7C04B502	6A801A466CC2D69F307A280F720EE797E23E20521499BCF348E9D790E160379F
/var/log/syslog.1.gz	gzip compressed data, last modified: Mon May 29 22:52:42 2023, from Unix, original size modulo 2^32 17963	F9098A2DC26CE2A1479E5D3126F00F42	06FA1BF4AAE0FE61B0907172425C6E485C29FB35	5E5B652110FA7D3B5F9BC28FB321ECA76DA5DAF3CA288EE6AF1BEA39B563BC4F

AV Detection

Multi AV Scanner detection for submitted file

Source: yvweY4vsVq.elf	ReversingLabs: Detection: 54%
Source: yvweY4vsVq.elf	Virustotal: Detection: 50%			Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40752
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40756
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40758
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40774
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40778

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:48592 -> 107.189.3.153:1312

Sample listens on a socket

Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6293)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	Socket: 0.0.0.0::37215	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.3.153
Source: unknown	TCP traffic detected without corresponding DNS query: 76.0.183.154
Source: unknown	TCP traffic detected without corresponding DNS query: 218.45.121.154
Source: unknown	TCP traffic detected without corresponding DNS query: 126.137.100.236
Source: unknown	TCP traffic detected without corresponding DNS query: 183.86.244.155
Source: unknown	TCP traffic detected without corresponding DNS query: 120.95.49.115
Source: unknown	TCP traffic detected without corresponding DNS query: 201.206.91.129
Source: unknown	TCP traffic detected without corresponding DNS query: 136.240.152.7
Source: unknown	TCP traffic detected without corresponding DNS query: 79.160.239.125
Source: unknown	TCP traffic detected without corresponding DNS query: 246.183.54.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.125.81
Source: unknown	TCP traffic detected without corresponding DNS query: 93.6.77.59
Source: unknown	TCP traffic detected without corresponding DNS query: 75.192.32.102
Source: unknown	TCP traffic detected without corresponding DNS query: 87.220.234.113
Source: unknown	TCP traffic detected without corresponding DNS query: 174.229.190.231
Source: unknown	TCP traffic detected without corresponding DNS query: 153.190.168.241
Source: unknown	TCP traffic detected without corresponding DNS query: 216.202.192.22
Source: unknown	TCP traffic detected without corresponding DNS query: 23.233.187.152
Source: unknown	TCP traffic detected without corresponding DNS query: 97.77.143.147
Source: unknown	TCP traffic detected without corresponding DNS query: 155.226.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 90.225.231.43
Source: unknown	TCP traffic detected without corresponding DNS query: 104.13.239.230
Source: unknown	TCP traffic detected without corresponding DNS query: 167.152.63.108
Source: unknown	TCP traffic detected without corresponding DNS query: 247.136.170.47
Source: unknown	TCP traffic detected without corresponding DNS query: 166.11.184.189
Source: unknown	TCP traffic detected without corresponding DNS query: 149.168.18.245
Source: unknown	TCP traffic detected without corresponding DNS query: 93.214.165.127
Source: unknown	TCP traffic detected without corresponding DNS query: 151.171.214.178
Source: unknown	TCP traffic detected without corresponding DNS query: 16.229.95.68
Source: unknown	TCP traffic detected without corresponding DNS query: 252.75.153.96
Source: unknown	TCP traffic detected without corresponding DNS query: 18.99.237.72
Source: unknown	TCP traffic detected without corresponding DNS query: 67.42.182.45
Source: unknown	TCP traffic detected without corresponding DNS query: 190.36.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 195.175.152.36
Source: unknown	TCP traffic detected without corresponding DNS query: 211.116.191.67
Source: unknown	TCP traffic detected without corresponding DNS query: 35.27.252.236
Source: unknown	TCP traffic detected without corresponding DNS query: 192.228.72.55
Source: unknown	TCP traffic detected without corresponding DNS query: 125.152.129.219
Source: unknown	TCP traffic detected without corresponding DNS query: 85.64.190.7
Source: unknown	TCP traffic detected without corresponding DNS query: 83.240.163.128
Source: unknown	TCP traffic detected without corresponding DNS query: 47.77.83.183
Source: unknown	TCP traffic detected without corresponding DNS query: 216.105.159.246
Source: unknown	TCP traffic detected without corresponding DNS query: 139.7.13.2
Source: unknown	TCP traffic detected without corresponding DNS query: 108.125.130.242
Source: unknown	TCP traffic detected without corresponding DNS query: 120.26.142.118
Source: unknown	TCP traffic detected without corresponding DNS query: 96.106.78.8
Source: unknown	TCP traffic detected without corresponding DNS query: 207.53.121.27
Source: unknown	TCP traffic detected without corresponding DNS query: 167.147.171.44
Source: unknown	TCP traffic detected without corresponding DNS query: 149.95.216.142

Source: yvweY4vsVq.elf

String found in binary or memory: http://upx.sf.net

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/yvweY4vsVq.elf (PID: 6293)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/yvweY4vsVq.elf (PID: 6293)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior

Source: classification engine

Classification label: mal68.spre.troj.evad.linELF@0/49@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Enumerates processes within the "proc" file system

Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/6191/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/6192/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1860/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2156/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2156/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1629/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1629/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1627/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1627/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1900/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2294/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2050/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1877/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1633/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1633/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1599/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1632/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1632/exe	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1477/fd	Jump to behavior
Source: /tmp/yvweY4vsVq.elf (PID: 6299)	File opened: /proc/1477/exe	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /usr/sbin/logrotate (PID: 6241)	Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "			Jump to behavior
Source: /usr/sbin/logrotate (PID: 6252)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog			Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /usr/sbin/invoke-rc.d (PID: 6245)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service	Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 6250)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service	Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 6254)	Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40748
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40752
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40756
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40758
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40774
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40778

ELF contains segments with high entropy indicating compressed/encrypted content

Source: yvweY4vsVq.elf

Submission file: segment LOAD with 7.9335 entropy (max. 8.0)

Deletes log files

Source: /usr/sbin/logrotate (PID: 6198)	Truncated file: /var/log/cups/access_log.1			Jump to behavior
Source: /usr/sbin/logrotate (PID: 6198)	Truncated file: /var/log/syslog.1			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/yvweY4vsVq.elf (PID: 6291)

Queries kernel information via 'uname':

Jump to behavior

Source: yvweY4vsVq.elf, 6291.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp	Binary or memory string: Dx86_64/usr/bin/qemu-arm/tmp/yvweY4vsVq.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yvweY4vsVq.elf
Source: yvweY4vsVq.elf, 6291.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: yvweY4vsVq.elf, 6291.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.000055d7e0edc000.000055d7e10ea000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: yvweY4vsVq.elf, 6291.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6293.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6295.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp, yvweY4vsVq.elf, 6301.1.00007fffb98e5000.00007fffb9906000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	877738
Product:	CloudBasic
Start time:	00:52:36
Start date:	30.05.2023
Sample:	yvweY4vsVq.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	7592df37fb3fea64a0994ac342f319f4
SHA1:	bd612669bbc816883907689411667f34b471259f
SHA256:	4e97dfb181ef3db9a59094b5f468255ee7dc5d5e52543730d8394270a434b162
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
yvweY4vsVq.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report yvweY4vsVq.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
yvweY4vsVq.elf

Malware Threat Intel
Provided by