Source: ppc.elf |
Malware Configuration Extractor: Gafgyt {"C2 url": "212.224.93.228:666"} |
Source: ppc.elf |
ReversingLabs: Detection: 71% |
Source: Network traffic |
Suricata IDS: 2847206 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin : 192.168.2.13:37036 -> 212.224.93.228:666 |
Source: global traffic |
TCP traffic: 192.168.2.13:37036 -> 212.224.93.228:666 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: classification engine |
Classification label: mal88.troj.linELF@0/0@2/0 |
Source: ppc.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/brk.S |
Source: ppc.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crt1.S |
Source: ppc.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crti.S |
Source: ppc.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crtn.S |
Source: ppc.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/vfork.S |
Source: /tmp/ppc.elf (PID: 5428) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: ppc.elf, 5428.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp, ppc.elf, 5430.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp, ppc.elf, 5432.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp |
Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq |
Source: ppc.elf, 5443.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp |
Binary or memory string: !/etc/qemu-binfmt/ppc1 |
Source: ppc.elf, 5428.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp, ppc.elf, 5430.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp, ppc.elf, 5432.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp, ppc.elf, 5443.1.000055f5c6e30000.000055f5c6ee0000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/ppc |
Source: ppc.elf, 5428.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp, ppc.elf, 5430.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp, ppc.elf, 5432.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp, ppc.elf, 5443.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-ppc |
Source: ppc.elf, 5428.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp, ppc.elf, 5430.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp, ppc.elf, 5432.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp, ppc.elf, 5443.1.00007ffd90995000.00007ffd909b6000.rw-.sdmp |
Binary or memory string: lx86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf |
Source: Yara match |
File source: ppc.elf, type: SAMPLE |
Source: Yara match |
File source: ppc.elf, type: SAMPLE |
Source: Yara match |
File source: 5430.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5443.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5428.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5432.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5430, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5432, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5443, type: MEMORYSTR |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; CrOS x86_64 9592.96.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.114 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; Lumia 535) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Mobile Safari/537.36 Edge/14.14393 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Linux; Android 4.4.4; HTC Desire 620 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5 |
Source: Yara match |
File source: ppc.elf, type: SAMPLE |
Source: Yara match |
File source: ppc.elf, type: SAMPLE |
Source: Yara match |
File source: 5430.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5443.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5428.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5432.1.00007f8e50001000.00007f8e50017000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5430, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5432, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: ppc.elf PID: 5443, type: MEMORYSTR |