Source: yakov.arm7.elf |
ReversingLabs: Detection: 34% |
Source: global traffic |
TCP traffic: 192.168.2.13:43966 -> 87.120.114.147:3778 |
Source: /tmp/yakov.arm7.elf (PID: 5434) |
Socket: 127.0.0.1:40171 |
Jump to behavior |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.120.114.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.163.2.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 255.188.192.20 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 136.36.208.140 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 250.11.241.197 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 83.95.75.166 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.154.224.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 201.31.163.172 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.99.84.250 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 138.209.173.35 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 220.119.134.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 84.3.37.236 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 216.72.157.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 68.157.9.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.209.163.16 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 14.192.248.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.247.248.229 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 86.43.251.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.75.211.142 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.178.24.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 106.158.81.166 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.185.15.13 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 133.101.123.102 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.47.175.90 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 242.252.136.99 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 197.34.79.173 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 53.214.99.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 78.180.16.126 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.50.61.198 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 136.109.221.242 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 86.173.173.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 144.71.168.197 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.64.173.130 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 65.134.100.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.16.95.46 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 241.67.119.214 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 213.51.158.175 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 14.54.193.140 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 37.105.33.106 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 253.207.132.152 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 18.170.6.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 151.189.60.140 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 24.208.40.247 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 217.7.74.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.56.173.170 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 99.75.117.118 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 114.254.98.184 |
Source: yakov.arm7.elf |
String found in binary or memory: http://upx.sf.net |
Source: 5432.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 5432.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: 5436.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 5436.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: Process Memory Space: yakov.arm7.elf PID: 5432, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: yakov.arm7.elf PID: 5432, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: Process Memory Space: yakov.arm7.elf PID: 5436, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: yakov.arm7.elf PID: 5436, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: LOAD without section mappings |
Program segment: 0x8000 |
Source: 5432.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 5432.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: 5436.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 5436.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.arm7.elf PID: 5432, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.arm7.elf PID: 5432, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.arm7.elf PID: 5436, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: yakov.arm7.elf PID: 5436, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: classification engine |
Classification label: mal68.troj.evad.linELF@0/0@0/0 |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $ |
Source: yakov.arm7.elf |
Submission file: segment LOAD with 7.9589 entropy (max. 8.0) |
Source: /tmp/yakov.arm7.elf (PID: 5432) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: yakov.arm7.elf, 5432.1.000055ed9079c000.000055ed9092c000.rw-.sdmp, yakov.arm7.elf, 5436.1.000055ed9079c000.000055ed9090a000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: yakov.arm7.elf, 5432.1.000055ed9079c000.000055ed9092c000.rw-.sdmp, yakov.arm7.elf, 5436.1.000055ed9079c000.000055ed9090a000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: yakov.arm7.elf, 5432.1.00007fff33aee000.00007fff33b0f000.rw-.sdmp, yakov.arm7.elf, 5436.1.00007fff33aee000.00007fff33b0f000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: yakov.arm7.elf, 5432.1.00007fff33aee000.00007fff33b0f000.rw-.sdmp, yakov.arm7.elf, 5436.1.00007fff33aee000.00007fff33b0f000.rw-.sdmp |
Binary or memory string: ,Tx86_64/usr/bin/qemu-arm/tmp/yakov.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yakov.arm7.elf |
Source: Yara match |
File source: 5432.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5436.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yakov.arm7.elf PID: 5432, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yakov.arm7.elf PID: 5436, type: MEMORYSTR |
Source: Yara match |
File source: 5432.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5436.1.00007f3430017000.00007f343002b000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yakov.arm7.elf PID: 5432, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: yakov.arm7.elf PID: 5436, type: MEMORYSTR |