Edit tour

Linux Analysis Report
firmware.sh4.elf

Overview

General Information

Sample name:	firmware.sh4.elf
Analysis ID:	1502457
MD5:	866ab94cdba8c1e145fcfc5e8a587251
SHA1:	3eda27ca9939320a3fdd89e794d3c1207cca7902
SHA256:	b8aba5f4f1a0f074f60982b0f030fd84af36556d747e0642a8fb575f9899de6c
Tags:	elffirmware
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Drops files in suspicious directories

Executes the "crontab" command typically for achieving persistence

Sample tries to persist itself using cron

Executes commands using a shell command-line interpreter

Executes the "hostname" command used to retrieve the computers name

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502457
Start date and time:	2024-09-01 17:33:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	firmware.sh4.elf
Detection:	MAL
Classification:	mal84.troj.evad.linELF@0/24@0/0

Warnings

Skipping network analysis since amount of network traffic is too extensive

Runtime Messages

Command:	/tmp/firmware.sh4.elf
PID:	6255
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware Upgraded
Standard Error:

Process Tree

system is lnxubuntu20

firmware.sh4.elf (PID: 6255, Parent: 6180, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/firmware.sh4.elf

firmware.sh4.elf New Fork (PID: 6258, Parent: 6255)

firmware.sh4.elf New Fork (PID: 6260, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6264, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6267, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6277, Parent: 6267)

sh (PID: 6277, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6292, Parent: 6277)

hostname (PID: 6292, Parent: 6277, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6345, Parent: 6267)

sh (PID: 6345, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6350, Parent: 6345)

hostname (PID: 6350, Parent: 6345, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6378, Parent: 6267)

sh (PID: 6378, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6380, Parent: 6378)

hostname (PID: 6380, Parent: 6378, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6389, Parent: 6267)

sh (PID: 6389, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6395, Parent: 6389)

hostname (PID: 6395, Parent: 6389, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6403, Parent: 6267)

sh (PID: 6403, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6409, Parent: 6403)

hostname (PID: 6409, Parent: 6403, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6426, Parent: 6267)

sh (PID: 6426, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6428, Parent: 6426)

hostname (PID: 6428, Parent: 6426, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6437, Parent: 6267)

sh (PID: 6437, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6439, Parent: 6437)

hostname (PID: 6439, Parent: 6437, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6447, Parent: 6267)

sh (PID: 6447, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6453, Parent: 6447)

hostname (PID: 6453, Parent: 6447, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6473, Parent: 6267)

sh (PID: 6473, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6478, Parent: 6473)

hostname (PID: 6478, Parent: 6473, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6491, Parent: 6267)

sh (PID: 6491, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6495, Parent: 6491)

hostname (PID: 6495, Parent: 6491, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6512, Parent: 6267)

sh (PID: 6512, Parent: 6267, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6518, Parent: 6512)

hostname (PID: 6518, Parent: 6512, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6270, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6276, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6288, Parent: 6276)

sh (PID: 6288, Parent: 6276, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6294, Parent: 6288)

hostname (PID: 6294, Parent: 6288, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6281, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6309, Parent: 6260)

sh (PID: 6309, Parent: 6260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab /var/spool/cron/crontabs/root"

sh New Fork (PID: 6313, Parent: 6309)

crontab (PID: 6313, Parent: 6309, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab /var/spool/cron/crontabs/root

firmware.sh4.elf New Fork (PID: 6412, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6414, Parent: 6412)

firmware.sh4.elf New Fork (PID: 6458, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6460, Parent: 6458)

firmware.sh4.elf New Fork (PID: 6483, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6485, Parent: 6483)

firmware.sh4.elf New Fork (PID: 6521, Parent: 6260)

firmware.sh4.elf New Fork (PID: 6523, Parent: 6521)

firmware.sh4.elf New Fork (PID: 6261, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6263, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6272, Parent: 6263)

sh (PID: 6272, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6291, Parent: 6272)

hostname (PID: 6291, Parent: 6272, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6338, Parent: 6263)

sh (PID: 6338, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6344, Parent: 6338)

hostname (PID: 6344, Parent: 6338, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6375, Parent: 6263)

sh (PID: 6375, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6377, Parent: 6375)

hostname (PID: 6377, Parent: 6375, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6386, Parent: 6263)

sh (PID: 6386, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6388, Parent: 6386)

hostname (PID: 6388, Parent: 6386, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6400, Parent: 6263)

sh (PID: 6400, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6402, Parent: 6400)

hostname (PID: 6402, Parent: 6400, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6420, Parent: 6263)

sh (PID: 6420, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6425, Parent: 6420)

hostname (PID: 6425, Parent: 6420, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6434, Parent: 6263)

sh (PID: 6434, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6436, Parent: 6434)

hostname (PID: 6436, Parent: 6434, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6444, Parent: 6263)

sh (PID: 6444, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6446, Parent: 6444)

hostname (PID: 6446, Parent: 6444, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6466, Parent: 6263)

sh (PID: 6466, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6472, Parent: 6466)

hostname (PID: 6472, Parent: 6466, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6506, Parent: 6263)

sh (PID: 6506, Parent: 6263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6508, Parent: 6506)

hostname (PID: 6508, Parent: 6506, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6266, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6274, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6287, Parent: 6274)

sh (PID: 6287, Parent: 6274, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "hostname -I"

sh New Fork (PID: 6293, Parent: 6287)

hostname (PID: 6293, Parent: 6287, MD5: 1ce73d718e3dccc1aaa7bce6ae2ef0a7) Arguments: hostname -I

firmware.sh4.elf New Fork (PID: 6279, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6311, Parent: 6258)

sh (PID: 6311, Parent: 6258, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab /var/spool/cron/crontabs/root"

sh New Fork (PID: 6314, Parent: 6311)

crontab (PID: 6314, Parent: 6311, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab /var/spool/cron/crontabs/root

firmware.sh4.elf New Fork (PID: 6487, Parent: 6258)

firmware.sh4.elf New Fork (PID: 6489, Parent: 6487)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
firmware.sh4.elf	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ

Dropped Files

Source	Rule	Description	Author	Strings
/usr/bin/isovqu	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
dropped/isovqu	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ

Memory Dumps

Source	Rule	Description	Author	Strings
6255.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6483.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6414.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6276.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6460.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6487.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6274.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6458.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6485.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6489.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
6412.1.00007f9f40400000.00007f9f40417000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x14c00:$s1: LCOGQGPTGP 0x14664:$s3: CFOKLKQVPCVMP 0x148a0:$s4: QWRGPTKQMP 0x14810:$s5: HWCLVGAJ
Click to see the 6 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: firmware.sh4.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/bin/isovqu

Avira: detection malicious, Label: LINUX/Mirai.bonb

Multi AV Scanner detection for submitted file

Source: firmware.sh4.elf	ReversingLabs: Detection: 50%
Source: firmware.sh4.elf	Virustotal: Detection: 56%			Perma Link

System Summary

Malicious sample detected (through community Yara rule)

Source: firmware.sh4.elf, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6255.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6483.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6414.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6276.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6460.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6487.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6274.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6458.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6485.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6489.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6412.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: /usr/bin/isovqu, type: DROPPED	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: dropped/isovqu, type: DROPPED	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/firmware.sh4.elf (PID: 6414)	SIGKILL sent: pid: 6412, result: successful	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6460)	SIGKILL sent: pid: 6458, result: successful	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6485)	SIGKILL sent: pid: 6483, result: successful	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6489)	SIGKILL sent: pid: 6487, result: successful	Jump to behavior

Source: firmware.sh4.elf, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6255.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6483.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6414.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6276.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6460.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6487.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6274.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6458.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6485.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6489.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6412.1.00007f9f40400000.00007f9f40417000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: /usr/bin/isovqu, type: DROPPED	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: dropped/isovqu, type: DROPPED	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b

Source: classification engine

Classification label: mal84.troj.evad.linELF@0/24@0/0

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 6313)	Crontab executable: /usr/bin/crontab -> crontab /var/spool/cron/crontabs/root			Jump to behavior
Source: /bin/sh (PID: 6314)	Crontab executable: /usr/bin/crontab -> crontab /var/spool/cron/crontabs/root			Jump to behavior

Sample tries to persist itself using cron

Source: /tmp/firmware.sh4.elf (PID: 6258)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6260)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6313)	File: /var/spool/cron/crontabs/tmp.dUBIUw	Jump to behavior
Source: /usr/bin/crontab (PID: 6313)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6314)	File: /var/spool/cron/crontabs/tmp.LcjwCF	Jump to behavior
Source: /usr/bin/crontab (PID: 6314)	File: /var/spool/cron/crontabs/root	Jump to behavior

Source: /tmp/firmware.sh4.elf (PID: 6277)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6345)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6378)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6389)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6403)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6426)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6437)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6447)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6473)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6491)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6512)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6288)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6309)	Shell command executed: sh -c "crontab /var/spool/cron/crontabs/root"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6272)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6338)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6375)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6386)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6400)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6420)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6434)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6444)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6466)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6506)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6287)	Shell command executed: sh -c "hostname -I"	Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6311)	Shell command executed: sh -c "crontab /var/spool/cron/crontabs/root"	Jump to behavior

Source: /bin/sh (PID: 6292)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6350)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6380)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6395)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6409)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6428)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6439)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6453)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6478)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6495)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6518)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6294)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6291)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6344)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6377)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6388)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6402)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6425)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6436)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6446)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6472)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6508)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior
Source: /bin/sh (PID: 6293)	Hostname executable: /usr/bin/hostname -> hostname -I	Jump to behavior

Source: /tmp/firmware.sh4.elf (PID: 6258)	File: /bin/isovqu (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/firmware.sh4.elf (PID: 6260)	File: /bin/isovqu (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Source: /tmp/firmware.sh4.elf (PID: 6258)	File written: /usr/bin/isovqu
Source: /tmp/firmware.sh4.elf (PID: 6260)	File written: /usr/bin/isovqu			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/firmware.sh4.elf (PID: 6258)	File: /usr/bin/isovqu
Source: /tmp/firmware.sh4.elf (PID: 6260)	File: /usr/bin/isovqu			Jump to dropped file

Source: /tmp/firmware.sh4.elf (PID: 6255)

Queries kernel information via 'uname':

Jump to behavior

Source: firmware.sh4.elf, 6255.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6276.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6412.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6414.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6458.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6460.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6483.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6485.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6274.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6487.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6489.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: firmware.sh4.elf, 6255.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6276.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6412.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6414.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6458.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6460.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6483.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6485.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6274.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6487.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6489.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/firmware.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/firmware.sh4.elf
Source: firmware.sh4.elf, 6255.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6276.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6412.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6414.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6458.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6460.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6483.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6485.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6274.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6487.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6489.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: firmware.sh4.elf, 6255.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6276.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6412.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6414.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6458.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6460.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6483.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6485.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6274.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6487.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp, firmware.sh4.elf, 6489.1.000055c2d7179000.000055c2d71fc000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: firmware.sh4.elf, 6276.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp, firmware.sh4.elf, 6274.1.00007ffe8b6d8000.00007ffe8b6f9000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
firmware.sh4.elf	50%	ReversingLabs	Linux.Trojan.Mirai
firmware.sh4.elf	56%	Virustotal		Browse
firmware.sh4.elf	100%	Avira	LINUX/Mirai.bonb

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/bin/isovqu	100%	Avira	LINUX/Mirai.bonb
/usr/bin/isovqu	50%	ReversingLabs	Linux.Trojan.Mirai
/usr/bin/isovqu	56%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/allah_is_prick.html

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	HTML document, ASCII text, with very long lines (360), with no line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.824216939715202
Encrypted:	false
SSDEEP:	6:qvdVefkx3wicKPxyj2ay2brGFfi6nNN2PFWdQipKr+CRKf2rQb:4dTx6KJyCaViBNoPFWd/++CRKerQb
MD5:	3A2D9EE3D20A76ED6AF3F066BE482B64
SHA1:	8EE4338DF17D6DBBD7CFEC1AA0ABBD6A7B8081F6
SHA-256:	9D542210472A30C5142DF1F1AC2A25D72A453C5DFAD27B09F805691A2E936082
SHA-512:	715E81E95217EB0D10C1FB3518A589782C2F67BC100E349582CCCB5AB5706C4EC931879E3C03717A099D475F8DBEC58082CEE306C74CD264BD733B5B98AA0B25
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html>

/etc/d

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:gj4/:gjk
MD5:	A608947B77730C54084CBDB7F0DC39E0
SHA1:	2725761B16E5D70685E8A898450757F9B5CE433B
SHA-256:	2ABF442BF3CA4F75B128B24FB05D5E54C5614BCFC626ACC889CE5334646C58B7
SHA-512:	927617E724CDD846DE3144A9F6E3DBF1E5AB0E08D86EC34B6D29090DF17865016367290F0605B8F688046CAF9205FC7FBEC26BA2296DA05C7C8AC111097BBB06
Malicious:	false
Reputation:	low
Preview:	947516022.

/home/allah_is_prick.html

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	HTML document, ASCII text, with very long lines (360), with no line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.824216939715202
Encrypted:	false
SSDEEP:	6:qvdVefkx3wicKPxyj2ay2brGFfi6nNN2PFWdQipKr+CRKf2rQb:4dTx6KJyCaViBNoPFWd/++CRKerQb
MD5:	3A2D9EE3D20A76ED6AF3F066BE482B64
SHA1:	8EE4338DF17D6DBBD7CFEC1AA0ABBD6A7B8081F6
SHA-256:	9D542210472A30C5142DF1F1AC2A25D72A453C5DFAD27B09F805691A2E936082
SHA-512:	715E81E95217EB0D10C1FB3518A589782C2F67BC100E349582CCCB5AB5706C4EC931879E3C03717A099D475F8DBEC58082CEE306C74CD264BD733B5B98AA0B25
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html>

/mnt/allah_is_prick.html

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	HTML document, ASCII text, with very long lines (360), with no line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.824216939715202
Encrypted:	false
SSDEEP:	6:qvdVefkx3wicKPxyj2ay2brGFfi6nNN2PFWdQipKr+CRKf2rQb:4dTx6KJyCaViBNoPFWd/++CRKerQb
MD5:	3A2D9EE3D20A76ED6AF3F066BE482B64
SHA1:	8EE4338DF17D6DBBD7CFEC1AA0ABBD6A7B8081F6
SHA-256:	9D542210472A30C5142DF1F1AC2A25D72A453C5DFAD27B09F805691A2E936082
SHA-512:	715E81E95217EB0D10C1FB3518A589782C2F67BC100E349582CCCB5AB5706C4EC931879E3C03717A099D475F8DBEC58082CEE306C74CD264BD733B5B98AA0B25
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html>

/root/allah_is_prick.html

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	HTML document, ASCII text, with very long lines (360), with no line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.824216939715202
Encrypted:	false
SSDEEP:	6:qvdVefkx3wicKPxyj2ay2brGFfi6nNN2PFWdQipKr+CRKf2rQb:4dTx6KJyCaViBNoPFWd/++CRKerQb
MD5:	3A2D9EE3D20A76ED6AF3F066BE482B64
SHA1:	8EE4338DF17D6DBBD7CFEC1AA0ABBD6A7B8081F6
SHA-256:	9D542210472A30C5142DF1F1AC2A25D72A453C5DFAD27B09F805691A2E936082
SHA-512:	715E81E95217EB0D10C1FB3518A589782C2F67BC100E349582CCCB5AB5706C4EC931879E3C03717A099D475F8DBEC58082CEE306C74CD264BD733B5B98AA0B25
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html>

/tmp/allah_is_prick.html

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	HTML document, ASCII text, with very long lines (11160), with no line terminators
Category:	dropped
Size (bytes):	11160
Entropy (8bit):	4.824216939715202
Encrypted:	false
SSDEEP:	192:wLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLYLv:s
MD5:	5A685CBE9A538B8AC034F7330825FCAF
SHA1:	1C7BB6895AEF2D35CE44A9B8913E2372A8292656
SHA-256:	04049BED3C3F91BA576248067B0282B1D793ED7E09B0F30591D4984CFE1F6375
SHA-512:	6BA261FE2F85FCF3B696927B0738538C66D4AEA6C134DAB921392D68EB89BF803D28DEDC5F91B6F563C14C494EE1F8811CBDFE379C539327BFE92A22B3EDF5CC
Malicious:	false
Reputation:	low
Preview:	<html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html><html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html><html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (

/usr/bin/isovqu

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	95664
Entropy (8bit):	6.891945863688813
Encrypted:	false
SSDEEP:	1536:BgxL9QiaaNaGwtnjTE/AGm3wmBrX1eDxjANKisHOTOOcCDnKFshB55Zt0:C2/y5UThnwxjAUiDOOcnmNTK
MD5:	866AB94CDBA8C1E145FCFC5E8A587251
SHA1:	3EDA27CA9939320A3FDD89E794D3C1207CCA7902
SHA-256:	B8ABA5F4F1A0F074F60982B0F030FD84AF36556D747E0642A8FB575F9899DE6C
SHA-512:	67CA67CAFA457190E67D3D50A1DFACB00233800B4EAAA9396C94E53DA0F69067306BA6D933EDAC07803EB7778A3520ADFCFE0ABE9BFA9A470AB4756E6CE2867C
Malicious:	true
Yara Hits:	Rule: Mirai_Botnet_Malware, Description: Detects Mirai Botnet Malware, Source: /usr/bin/isovqu, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 56%, Browse
Reputation:	low
Preview:	.ELF.....................@.4....s......4. ...(...............@...@.Pl..Pl...............p...pB..pB......)..........Q.td............................././"O.n........#.@........#.@lB...o&O.n...l..............................././.../.a"O.!...n..a.b("...q.(.B...a.b("...q...!.....A.....).o&O.n.i.h.....sB..pB.....PlA....../.."O.!...n.....A....Ba.!.....!...o&O.n+A.......................o&O.n..........PlA..sB..pB........e.ff/F/.../.......A....+A.....`@...@.`CA.l.A.t.A............../Ld././lj./sk./././"O..\..?0aY.[..!J...Pg3b.rz!.##c$a.!..z!U. a.!..Pg#c.sz!."3b4a.!..z!O. a.!..Pg#c.sz!."3b4a.!..z!I.....dH..H.e.d.eG....H..d.e.....H..d.eB....H..@..1......d.I.e.d.e..P..I.h.cD.Z...6.7..4V.V..@.4.TH$..@.... ..2..B.dJ..0..D.\|?&O.n.m.l.k.j.i.h..........................#..T.C.....0. ..T.A.....0..."........T.A.....3=R'04.\|..W,7pa.c3a.q.a.1..3a...q.'.....r&.....Q..(...Q\|Q.. pB..pB.0pB.LpB...@.. @..CA..CA.4.@..@................4.8......]..A$.\..B%.Z..C&.Y..@'.W..A(.V..B).T..C.S..@+.Q..A,.P..B-.

/var/allah_is_prick.html

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	HTML document, ASCII text, with very long lines (360), with no line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.824216939715202
Encrypted:	false
SSDEEP:	6:qvdVefkx3wicKPxyj2ay2brGFfi6nNN2PFWdQipKr+CRKf2rQb:4dTx6KJyCaViBNoPFWd/++CRKerQb
MD5:	3A2D9EE3D20A76ED6AF3F066BE482B64
SHA1:	8EE4338DF17D6DBBD7CFEC1AA0ABBD6A7B8081F6
SHA-256:	9D542210472A30C5142DF1F1AC2A25D72A453C5DFAD27B09F805691A2E936082
SHA-512:	715E81E95217EB0D10C1FB3518A589782C2F67BC100E349582CCCB5AB5706C4EC931879E3C03717A099D475F8DBEC58082CEE306C74CD264BD733B5B98AA0B25
Malicious:	false
Preview:	<html> why I doing this, ALLAH is HURTING MY BODY, TOUCHING MY BODY, ASK ME TO PRAY TO his devil deeds.<br> ALLAH is the REAL Devil<br> ALLAH is the REAL Satan<br> Allah is Touching my body, hurting my body, years by years, The whole time<br> ALLAH is IBLEES<br> Allah (or his spirit or) electrocuted my body hurting my body == allah is SATAN </html>

/var/spool/cron/crontabs/root

Download File

Process:	/tmp/firmware.sh4.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.970573095811684
Encrypted:	false
SSDEEP:	3:SH3Uauvn:SH3Ujvn
MD5:	1A01B50D693C1189008B251AE1A2DF7B
SHA1:	6CA8997525685A22B8ACE5FE46321D6C6A72EE55
SHA-256:	AB2A091E581E6CBD1F6B50D401D6F47F8A62B3C6343F9029B5481E4BBD85B8EF
SHA-512:	274CA3DE264045A980FEDE9FE0538980878B49505ECB6F7E065B4B03AF64E86704C6B9B60C02EB14050E037E0020CD8F1EBE30576D4CF52B7511FC6C97FAC659
Malicious:	true
Preview:	@reboot (/bin/isovqu).

/var/spool/cron/crontabs/tmp.LcjwCF

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	450
Entropy (8bit):	5.096552118169869
Encrypted:	false
SSDEEP:	12:8QjTxKYFT83QC8eHLU0vQjTxKYFT83QC8eHLUHYyvmyvn:82x1oUALUy2x1oUALUtvfvn
MD5:	1C4BD90B60F8EAABF6AC7B1BD58B5B02
SHA1:	2C1AAEE92CBCA33B034AE9F950A32C3BE45CBC7A
SHA-256:	5DF4AEE3DC343F08A82634E24E14B80771DBD7E0082481E7CC5B6A7CFE7A346F
SHA-512:	F353F7A29CFB9A6C88E2FFF1EAE58A4FC8C30BE0167B5786725F5C492DD0DB9938F184D5C1584F03EE9BC09D47E4F318FA71B2437D08618640E489106094BD05
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (/var/spool/cron/crontabs/root installed on Sun Sep 1 10:34:38 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).# DO NOT EDIT THIS FILE - edit the master and reinstall..# (/var/spool/cron/crontabs/root installed on Sun Sep 1 10:34:38 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot (/bin/isovqu).@reboot (/bin/isovqu).

/var/spool/cron/crontabs/tmp.dUBIUw

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	247
Entropy (8bit):	5.097059969385634
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1K+1fxKYFK1OBFQ3QCqvZHGMQ5UYLtCFt3HYUjvmUjvn:8QjTxKYFT83QC8eHLUHYyvmyvn
MD5:	87B992514A260ACF32008AF2797AC4F3
SHA1:	EF72845BF1C1CFFD82B60904CBE8EF3440ACFD6F
SHA-256:	1C2F05089A5B1EDD1515BD7EA4059CD3B2B9CF7B6DC47282E21E4170967A7F89
SHA-512:	97E6BB49EBA65A0AD1C46D90CDD329599BB75A91ABFE05FA3D0E6990BA11A7F5257613DA3641C3AF71D9C0AF0B27735A348E385FBCB908BEA0FCB392E0F780E1
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (/var/spool/cron/crontabs/root installed on Sun Sep 1 10:34:38 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).@reboot (/bin/isovqu).@reboot (/bin/isovqu).

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.891945863688813
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	firmware.sh4.elf
File size:	95'664 bytes
MD5:	866ab94cdba8c1e145fcfc5e8a587251
SHA1:	3eda27ca9939320a3fdd89e794d3c1207cca7902
SHA256:	b8aba5f4f1a0f074f60982b0f030fd84af36556d747e0642a8fb575f9899de6c
SHA512:	67ca67cafa457190e67d3d50a1dfacb00233800b4eaaa9396c94e53da0f69067306ba6d933edac07803eb7778a3520adfcfe0abe9bfa9a470ab4756e6ce2867c
SSDEEP:	1536:BgxL9QiaaNaGwtnjTE/AGm3wmBrX1eDxjANKisHOTOOcCDnKFshB55Zt0:C2/y5UThnwxjAUiDOOcnmNTK
TLSH:	4793BF62C42AADA0D2559635B0A4CF7C9763E60495571EFAAA82C3BEC043FDCF5053F8
File Content Preview:	.ELF.....................@.4....s......4. ...(...............@...@.Pl..Pl...............p...pB..pB......)..........Q.td............................././"O.n........#.@........#.*@lB...o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	95224
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0x14280	0x0	0x6	AX	32
.fini	PROGBITS	0x414360	0x14360	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x414384	0x14384	0x28cc	0x0	0x2	A	4
.ctors	PROGBITS	0x427000	0x17000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x427008	0x17008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x427014	0x17014	0x390	0x0	0x3	WA	4
.got	PROGBITS	0x4273a4	0x173a4	0x10	0x4	0x3	WA	4
.bss	NOBITS	0x4273b4	0x173b4	0x2608	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x173b4	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x16c50	0x16c50	6.9636	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x17000	0x427000	0x427000	0x3b4	0x29bc	3.0328	0x6	RW	0x10000	.ctors .dtors .data .got .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

System Behavior

Analysis Process: firmware.sh4.elf PID: 6255, Parent PID: 6180

General

Start time (UTC):	15:34:35
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	/tmp/firmware.sh4.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6258, Parent PID: 6255

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6260, Parent PID: 6258

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6264, Parent PID: 6260

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6267, Parent PID: 6260

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6277, Parent PID: 6267

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6277, Parent PID: 6267

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6292, Parent PID: 6277

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6292, Parent PID: 6277

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6345, Parent PID: 6267

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6345, Parent PID: 6267

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6350, Parent PID: 6345

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6350, Parent PID: 6345

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6378, Parent PID: 6267

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6378, Parent PID: 6267

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6380, Parent PID: 6378

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6380, Parent PID: 6378

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6389, Parent PID: 6267

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6389, Parent PID: 6267

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6395, Parent PID: 6389

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6395, Parent PID: 6389

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6403, Parent PID: 6267

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6403, Parent PID: 6267

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6409, Parent PID: 6403

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6409, Parent PID: 6403

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6426, Parent PID: 6267

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6426, Parent PID: 6267

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6428, Parent PID: 6426

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6428, Parent PID: 6426

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6437, Parent PID: 6267

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6437, Parent PID: 6267

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6439, Parent PID: 6437

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6439, Parent PID: 6437

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6447, Parent PID: 6267

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6447, Parent PID: 6267

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6453, Parent PID: 6447

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6453, Parent PID: 6447

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6473, Parent PID: 6267

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6473, Parent PID: 6267

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6478, Parent PID: 6473

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6478, Parent PID: 6473

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6491, Parent PID: 6267

General

Start time (UTC):	15:36:21
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6491, Parent PID: 6267

General

Start time (UTC):	15:36:22
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6495, Parent PID: 6491

General

Start time (UTC):	15:36:22
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6495, Parent PID: 6491

General

Start time (UTC):	15:36:22
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6512, Parent PID: 6267

General

Start time (UTC):	15:36:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6512, Parent PID: 6267

General

Start time (UTC):	15:36:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6518, Parent PID: 6512

General

Start time (UTC):	15:36:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6518, Parent PID: 6512

General

Start time (UTC):	15:36:36
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6270, Parent PID: 6260

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6276, Parent PID: 6260

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6288, Parent PID: 6276

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6288, Parent PID: 6276

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6294, Parent PID: 6288

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6294, Parent PID: 6288

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6281, Parent PID: 6260

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6309, Parent PID: 6260

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6309, Parent PID: 6260

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "crontab /var/spool/cron/crontabs/root"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6313, Parent PID: 6309

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 6313, Parent PID: 6309

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/usr/bin/crontab
Arguments:	crontab /var/spool/cron/crontabs/root
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6412, Parent PID: 6260

General

Start time (UTC):	15:35:27
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6414, Parent PID: 6412

General

Start time (UTC):	15:35:27
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6458, Parent PID: 6260

General

Start time (UTC):	15:36:03
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6460, Parent PID: 6458

General

Start time (UTC):	15:36:03
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6483, Parent PID: 6260

General

Start time (UTC):	15:36:21
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6485, Parent PID: 6483

General

Start time (UTC):	15:36:21
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6521, Parent PID: 6260

General

Start time (UTC):	15:36:39
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6523, Parent PID: 6521

General

Start time (UTC):	15:36:39
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6261, Parent PID: 6258

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6263, Parent PID: 6258

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6272, Parent PID: 6263

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6272, Parent PID: 6263

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6291, Parent PID: 6272

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6291, Parent PID: 6272

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6338, Parent PID: 6263

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6338, Parent PID: 6263

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6344, Parent PID: 6338

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6344, Parent PID: 6338

General

Start time (UTC):	15:34:53
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6375, Parent PID: 6263

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6375, Parent PID: 6263

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6377, Parent PID: 6375

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6377, Parent PID: 6375

General

Start time (UTC):	15:35:04
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6386, Parent PID: 6263

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6386, Parent PID: 6263

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6388, Parent PID: 6386

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6388, Parent PID: 6386

General

Start time (UTC):	15:35:14
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6400, Parent PID: 6263

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6400, Parent PID: 6263

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6402, Parent PID: 6400

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6402, Parent PID: 6400

General

Start time (UTC):	15:35:24
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6420, Parent PID: 6263

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6420, Parent PID: 6263

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6425, Parent PID: 6420

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6425, Parent PID: 6420

General

Start time (UTC):	15:35:35
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6434, Parent PID: 6263

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6434, Parent PID: 6263

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6436, Parent PID: 6434

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6436, Parent PID: 6434

General

Start time (UTC):	15:35:45
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6444, Parent PID: 6263

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6444, Parent PID: 6263

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6446, Parent PID: 6444

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6446, Parent PID: 6444

General

Start time (UTC):	15:35:56
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6466, Parent PID: 6263

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6466, Parent PID: 6263

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6472, Parent PID: 6466

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6472, Parent PID: 6466

General

Start time (UTC):	15:36:11
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6506, Parent PID: 6263

General

Start time (UTC):	15:36:31
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6506, Parent PID: 6263

General

Start time (UTC):	15:36:31
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6508, Parent PID: 6506

General

Start time (UTC):	15:36:31
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6508, Parent PID: 6506

General

Start time (UTC):	15:36:31
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6266, Parent PID: 6258

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6274, Parent PID: 6258

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6287, Parent PID: 6274

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6287, Parent PID: 6274

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "hostname -I"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6293, Parent PID: 6287

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: hostname PID: 6293, Parent PID: 6287

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/usr/bin/hostname
Arguments:	hostname -I
File size:	26856 bytes
MD5 hash:	1ce73d718e3dccc1aaa7bce6ae2ef0a7

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6279, Parent PID: 6258

General

Start time (UTC):	15:34:36
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6311, Parent PID: 6258

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: sh PID: 6311, Parent PID: 6258

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	sh -c "crontab /var/spool/cron/crontabs/root"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6314, Parent PID: 6311

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: crontab PID: 6314, Parent PID: 6311

General

Start time (UTC):	15:34:37
Start date (UTC):	01/09/2024
Path:	/usr/bin/crontab
Arguments:	crontab /var/spool/cron/crontabs/root
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6487, Parent PID: 6258

General

Start time (UTC):	15:36:21
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6489, Parent PID: 6487

General

Start time (UTC):	15:36:21
Start date (UTC):	01/09/2024
Path:	/tmp/firmware.sh4.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report firmware.sh4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/allah_is_prick.html

/etc/d

/home/allah_is_prick.html

/mnt/allah_is_prick.html

/root/allah_is_prick.html

/tmp/allah_is_prick.html

/usr/bin/isovqu

/var/allah_is_prick.html

/var/spool/cron/crontabs/root

/var/spool/cron/crontabs/tmp.LcjwCF

/var/spool/cron/crontabs/tmp.dUBIUw

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

System Behavior

Analysis Process: firmware.sh4.elf PID: 6255, Parent PID: 6180

General

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6258, Parent PID: 6255

General

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6260, Parent PID: 6258

General

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6264, Parent PID: 6260

General

Chronological Activities

Analysis Process: firmware.sh4.elf PID: 6267, Parent PID: 6260

General

Chronological Activities

Linux Analysis Report
firmware.sh4.elf