Source: yakov.mpsl.elf |
ReversingLabs: Detection: 44% |
Source: global traffic |
TCP traffic: 192.168.2.23:43468 -> 87.120.114.147:3778 |
Source: /tmp/yakov.mpsl.elf (PID: 6254) |
Socket: 127.0.0.1:16384 |
Jump to behavior |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.152.77.184 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 48.82.239.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 18.235.62.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 207.6.4.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.167.193.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 61.93.15.88 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 35.44.0.221 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 124.31.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 126.83.45.240 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 63.50.24.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 255.25.107.109 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.100.72.173 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.75.18.124 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.229.177.254 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.85.33.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 73.178.236.234 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.124.44.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 179.205.42.225 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 216.124.103.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 165.1.161.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 152.209.38.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 244.105.253.9 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.169.38.246 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 83.131.229.248 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.202.205.175 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.157.203.49 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.115.47.209 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 38.88.144.113 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.137.41.79 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.47.6.76 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 241.19.39.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.141.90.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 9.233.74.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.7.216.70 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.209.35.95 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 81.78.38.21 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.83.191.184 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 151.140.144.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 78.24.5.191 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 60.26.83.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 102.104.108.58 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 168.198.222.121 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 222.125.160.157 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.9.248.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 206.54.102.101 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 43.240.213.201 |
Source: yakov.mpsl.elf |
String found in binary or memory: http://upx.sf.net |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: 6252.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 6252.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: 6256.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 6256.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: Process Memory Space: yakov.mpsl.elf PID: 6252, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: yakov.mpsl.elf PID: 6252, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: Process Memory Space: yakov.mpsl.elf PID: 6256, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: yakov.mpsl.elf PID: 6256, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: LOAD without section mappings |
Program segment: 0x100000 |
Source: 6252.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 6252.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: 6256.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 6256.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.mpsl.elf PID: 6252, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.mpsl.elf PID: 6252, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.mpsl.elf PID: 6256, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.mpsl.elf PID: 6256, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: classification engine |
Classification label: mal76.troj.evad.linELF@0/0@0/0 |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $ |
Source: /usr/bin/dash (PID: 6228) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.SKbQfUM3ZI /tmp/tmp.rEO5aZBARM /tmp/tmp.bfXovuPUbk |
Jump to behavior |
Source: /usr/bin/dash (PID: 6229) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.SKbQfUM3ZI /tmp/tmp.rEO5aZBARM /tmp/tmp.bfXovuPUbk |
Jump to behavior |
Source: yakov.mpsl.elf |
Submission file: segment LOAD with 7.8835 entropy (max. 8.0) |
Source: /tmp/yakov.mpsl.elf (PID: 6252) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: yakov.mpsl.elf, 6252.1.000055e7436fc000.000055e743783000.rw-.sdmp, yakov.mpsl.elf, 6256.1.000055e7436fc000.000055e743783000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mipsel |
Source: yakov.mpsl.elf, 6252.1.00007ffebac62000.00007ffebac83000.rw-.sdmp, yakov.mpsl.elf, 6256.1.00007ffebac62000.00007ffebac83000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/yakov.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yakov.mpsl.elf |
Source: yakov.mpsl.elf, 6252.1.000055e7436fc000.000055e743783000.rw-.sdmp, yakov.mpsl.elf, 6256.1.000055e7436fc000.000055e743783000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/mipsel |
Source: yakov.mpsl.elf, 6252.1.00007ffebac62000.00007ffebac83000.rw-.sdmp, yakov.mpsl.elf, 6256.1.00007ffebac62000.00007ffebac83000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mipsel |
Source: Yara match |
File source: 6252.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6256.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yakov.mpsl.elf PID: 6252, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yakov.mpsl.elf PID: 6256, type: MEMORYSTR |
Source: Yara match |
File source: 6252.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6256.1.00007f29b0400000.00007f29b0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yakov.mpsl.elf PID: 6252, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yakov.mpsl.elf PID: 6256, type: MEMORYSTR |