Source: mipsel.elf |
Malware Configuration Extractor: Gafgyt {"C2 url": "212.224.93.228:666"} |
Source: Network traffic |
Suricata IDS: 2847206 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin : 192.168.2.23:41010 -> 212.224.93.228:666 |
Source: global traffic |
TCP traffic: 192.168.2.23:41010 -> 212.224.93.228:666 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: classification engine |
Classification label: mal80.troj.linELF@0/0@0/0 |
Source: mipsel.elf |
ELF static info symbol of initial sample: libc/string/mips/memcpy.S |
Source: mipsel.elf |
ELF static info symbol of initial sample: libc/string/mips/memset.S |
Source: mipsel.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/mips/crt1.S |
Source: mipsel.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/mips/crti.S |
Source: mipsel.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/mips/crtn.S |
Source: mipsel.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/mips/pipe.S |
Source: /tmp/mipsel.elf (PID: 6236) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: mipsel.elf, 6236.1.000055f3856b1000.000055f385738000.rw-.sdmp, mipsel.elf, 6238.1.000055f3856b1000.000055f385738000.rw-.sdmp, mipsel.elf, 6240.1.000055f3856b1000.000055f385738000.rw-.sdmp, mipsel.elf, 6248.1.000055f3856b1000.000055f385738000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mipsel |
Source: mipsel.elf, 6236.1.000055f3856b1000.000055f385738000.rw-.sdmp, mipsel.elf, 6238.1.000055f3856b1000.000055f385738000.rw-.sdmp, mipsel.elf, 6240.1.000055f3856b1000.000055f385738000.rw-.sdmp, mipsel.elf, 6248.1.000055f3856b1000.000055f385738000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/mipsel |
Source: mipsel.elf, 6236.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp, mipsel.elf, 6238.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp, mipsel.elf, 6240.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp, mipsel.elf, 6248.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mipsel.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.elf |
Source: mipsel.elf, 6236.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp, mipsel.elf, 6238.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp, mipsel.elf, 6240.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp, mipsel.elf, 6248.1.00007ffc00f08000.00007ffc00f29000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mipsel |
Source: Yara match |
File source: mipsel.elf, type: SAMPLE |
Source: Yara match |
File source: mipsel.elf, type: SAMPLE |
Source: Yara match |
File source: 6240.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6236.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6248.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6238.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6236, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6238, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6240, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6248, type: MEMORYSTR |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; CrOS x86_64 9592.96.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.114 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; Lumia 535) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Mobile Safari/537.36 Edge/14.14393 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Linux; Android 4.4.4; HTC Desire 620 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5 |
Source: Yara match |
File source: mipsel.elf, type: SAMPLE |
Source: Yara match |
File source: mipsel.elf, type: SAMPLE |
Source: Yara match |
File source: 6240.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6236.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6248.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6238.1.00007efdf8400000.00007efdf841d000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6236, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6238, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6240, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: mipsel.elf PID: 6248, type: MEMORYSTR |