Source: sshd.elf |
ReversingLabs: Detection: 21% |
Source: global traffic |
TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.125.190.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.125.190.26 |
Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: sshd.elf |
ELF static info symbol of initial sample: freeaddrinfo |
Source: sshd.elf |
ELF static info symbol of initial sample: gai_strerror |
Source: sshd.elf |
ELF static info symbol of initial sample: getaddrinfo |
Source: sshd.elf |
ELF static info symbol of initial sample: getnameinfo |
Source: sshd.elf |
String found in binary or memory: http://www.openssl.org/support/faq.html |
Source: sshd.elf |
String found in binary or memory: http://www.openssl.org/support/faq.htmlmd_rand.c |
Source: unknown |
Network traffic detected: HTTP traffic on port 48202 -> 443 |
Source: Initial sample |
Potential command found: ssh server is locked, please try again %dmin after !!! |
Source: Initial sample |
Potential command found: X11 forwarding |
Source: Initial sample |
Potential command found: X11 forwarding disabled in user configuration file. |
Source: Initial sample |
Potential command found: X11 forwarding disabled in server configuration file. |
Source: Initial sample |
Potential command found: X11 display already set. |
Source: Initial sample |
Potential command found: X11 connection requested. |
Source: Initial sample |
Potential command found: X11 connection from %.200s port %d |
Source: Initial sample |
Potential command found: X11 connection rejected because of wrong authentication. |
Source: Initial sample |
Potential command found: X11 rejected %d i%d/o%d |
Source: Initial sample |
Potential command found: X11 closed %d i%d/o%d |
Source: Initial sample |
Potential command found: X11 inet listener |
Source: Initial sample |
Potential command found: X11 connection uses different authentication protocol. |
Source: Initial sample |
Potential command found: X11 auth data does not match fake data. |
Source: Initial sample |
Potential command found: X11 fake_data_len %d != saved_data_len %d |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal48.linELF@0/0@2/0 |
Source: ELF symbol in initial sample |
Symbol name: usleep |
Source: /tmp/sshd.elf (PID: 5428) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: sshd.elf, 5428.1.00007ffe997a2000.00007ffe997c3000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/sshd.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sshd.elf |
Source: sshd.elf, 5428.1.000056425c382000.000056425c4b0000.rw-.sdmp |
Binary or memory string: 9\BV!/etc/qemu-binfmt/arm |
Source: sshd.elf, 5428.1.000056425c382000.000056425c4b0000.rw-.sdmp |
Binary or memory string: 8\BVrg.qemu.gdb.arm.sys.regs"> |
Source: sshd.elf, 5428.1.00007ffe997a2000.00007ffe997c3000.rw-.sdmp |
Binary or memory string: qemu: %s: %s |
Source: sshd.elf, 5428.1.00007ffe997a2000.00007ffe997c3000.rw-.sdmp |
Binary or memory string: leqemu: %s: %s |
Source: sshd.elf, 5428.1.000056425c382000.000056425c4b0000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: sshd.elf, 5428.1.00007ffe997a2000.00007ffe997c3000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: sshd.elf, 5428.1.000056425c382000.000056425c4b0000.rw-.sdmp |
Binary or memory string: rg.qemu.gdb.arm.sys.regs"> |