Linux Analysis Report
yakuza.i686.elf

Overview

General Information

Sample name: yakuza.i686.elf
Analysis ID: 1541843
MD5: 4b2bfa94425ea635064b9ed7c5ae58fe
SHA1: 586399e2e8798c86fe93120defcd7efc2b274a79
SHA256: d6a2a22000d68d79caeae482d8cf092c2d84d55dccee05e179a961c72f77b1ba
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: yakuza.i686.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: yakuza.i686.elf ReversingLabs: Detection: 68%
Machine Learning detection for sample
Source: yakuza.i686.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5531) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5545) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5553) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5561) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5566) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5590) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5595) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5600) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5603) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5609) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5612) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5617) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5620) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5625) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5628) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5638) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5643) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5648) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5651) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5657) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5660) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5665) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5668) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5673) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5678) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5681) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5686) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5691) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5694) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5700) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5703) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5708) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5713) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5716) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5721) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5726) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5731) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5736) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5739) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5743) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5748) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.15:45152 -> 194.110.247.46:5060 NICK [OSX|x86_32]s8Gn3ZdS USER s8Gn3ZdS localhost localhost :s8Gn3ZdS
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 45152 -> 5060
Source: unknown Network traffic detected: IRC traffic on port 45152 -> 5060
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:45152 -> 194.110.247.46:5060
Source: unknown TCP traffic detected without corresponding DNS query: 200.45.177.207
Source: unknown TCP traffic detected without corresponding DNS query: 12.233.191.131
Source: unknown TCP traffic detected without corresponding DNS query: 171.232.4.249
Source: unknown TCP traffic detected without corresponding DNS query: 243.63.122.204
Source: unknown TCP traffic detected without corresponding DNS query: 152.25.176.134
Source: unknown TCP traffic detected without corresponding DNS query: 141.198.55.107
Source: unknown TCP traffic detected without corresponding DNS query: 179.172.182.165
Source: unknown TCP traffic detected without corresponding DNS query: 49.37.178.100
Source: unknown TCP traffic detected without corresponding DNS query: 164.169.167.153
Source: unknown TCP traffic detected without corresponding DNS query: 151.59.233.163
Source: unknown TCP traffic detected without corresponding DNS query: 105.161.229.21
Source: unknown TCP traffic detected without corresponding DNS query: 138.105.15.24
Source: unknown TCP traffic detected without corresponding DNS query: 222.179.207.143
Source: unknown TCP traffic detected without corresponding DNS query: 89.2.243.170
Source: unknown TCP traffic detected without corresponding DNS query: 217.206.246.194
Source: unknown TCP traffic detected without corresponding DNS query: 56.48.167.93
Source: unknown TCP traffic detected without corresponding DNS query: 175.197.3.73
Source: unknown TCP traffic detected without corresponding DNS query: 240.92.215.123
Source: unknown TCP traffic detected without corresponding DNS query: 69.103.20.244
Source: unknown TCP traffic detected without corresponding DNS query: 45.23.189.140
Source: unknown TCP traffic detected without corresponding DNS query: 203.141.28.164
Source: unknown TCP traffic detected without corresponding DNS query: 16.144.79.251
Source: unknown TCP traffic detected without corresponding DNS query: 141.149.0.198
Source: unknown TCP traffic detected without corresponding DNS query: 69.40.36.158
Source: unknown TCP traffic detected without corresponding DNS query: 118.58.227.187
Source: unknown TCP traffic detected without corresponding DNS query: 251.119.126.12
Source: unknown TCP traffic detected without corresponding DNS query: 8.78.9.22
Source: unknown TCP traffic detected without corresponding DNS query: 246.154.98.103
Source: unknown TCP traffic detected without corresponding DNS query: 154.169.16.17
Source: unknown TCP traffic detected without corresponding DNS query: 162.116.222.61
Source: unknown TCP traffic detected without corresponding DNS query: 150.221.72.129
Source: unknown TCP traffic detected without corresponding DNS query: 158.111.205.3
Source: unknown TCP traffic detected without corresponding DNS query: 14.155.232.54
Source: unknown TCP traffic detected without corresponding DNS query: 6.162.45.182
Source: unknown TCP traffic detected without corresponding DNS query: 33.119.48.79
Source: unknown TCP traffic detected without corresponding DNS query: 142.238.219.217
Source: unknown TCP traffic detected without corresponding DNS query: 49.128.71.168
Source: unknown TCP traffic detected without corresponding DNS query: 33.124.70.132
Source: unknown TCP traffic detected without corresponding DNS query: 53.244.176.211
Source: unknown TCP traffic detected without corresponding DNS query: 80.64.22.114
Source: unknown TCP traffic detected without corresponding DNS query: 100.253.214.199
Source: unknown TCP traffic detected without corresponding DNS query: 216.172.147.222
Source: unknown TCP traffic detected without corresponding DNS query: 152.222.150.47
Source: unknown TCP traffic detected without corresponding DNS query: 188.94.48.75
Source: unknown TCP traffic detected without corresponding DNS query: 249.153.1.232
Source: unknown TCP traffic detected without corresponding DNS query: 118.231.247.79
Source: unknown TCP traffic detected without corresponding DNS query: 149.12.47.101
Source: unknown TCP traffic detected without corresponding DNS query: 57.8.212.158
Source: unknown TCP traffic detected without corresponding DNS query: 7.43.102.159
Source: unknown TCP traffic detected without corresponding DNS query: 203.196.215.1
Source: yakuza.i686.elf String found in binary or memory: http://87.10.220.221/yak.sh;
Source: yakuza.i686.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.i686.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 Author: unknown
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_27de1106 Author: unknown
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: Process Memory Space: yakuza.i686.elf PID: 5526, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample and/or dropped files contains symbols with suspicious names
Source: yakuza.i686.elf ELF static info symbol of initial sample: passwords
Source: yakuza.i686.elf ELF static info symbol of initial sample: usernames
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: 902i13BzSxLxBxeYHOHO-LUGO7HOHO-U79OLJuYfouyf87NiGGeR69xdSO190Ij1XLOLKIKEEEDDEekjheory98escansh4MDMAfdevalvexscanspcMELTEDNINJAREALZflexsonskidsscanx86MISAKI-U79OLfoAxi102kxeswodjwodjwojMmKiy7f87lfreecookiex86sysgpufrgegesysupdater0DnAzepdNiGGeRD0nks69frgreutelnetd0x766f6964NiGGeRd0nks1337gafturasgbsigboa120i3UI49OaF3geaevaiolmao123123aOfurain0n4H34DggTrexwasads1293194hjXDOthLaLosnggtwget-log1337SoraLOADERSAIAKINAggtq1378bfp919GRB1Q2SAIAKUSOggtr14FaSEXSLAVE1337ggtt1902a3u912u3u4haetrghbr19ju3dSORAojkf120hehahejeje922U2JDJA901F91SlaVLav12helpmedaddthhhhh2wgg9qphbqSlav3Th3seD3viceshzSmYZjYMQ5GbfSoRAxD123LOLiaGv5aA3SoRAxD420LOLinsomni640277SoraBeReppin1337ipcamCache66tlGg9QTjUYfouyf876ke3TOKYO3lyEeaXul2dULCVxh93OfjHZ2zTY2gD6MZvKc7KU6rmMkiy6f87lA023UU4U24UIUTheWeekndmioribitchesA5p9TheWeekndsmnblkjpoiAbAdTokyosnebAkiruU8inTznetstatsAlexW9RCAKM20TnewnetwordAyo215WordnloadsBAdAsVWordmanenotyakuzaaBelchWordnetsobpBigN0gg0r420X0102I34fofhasfhiafhoiX19I239124UIUoismDeportedXSHJEHHEIIHWOolsVNwo12DeportedDeportedXkTer0Gb
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Yara signature match
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: yakuza.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_f51c5ac3 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 34f254afdf94b1eb29bae4eb8e3864ea49e918a5dbe6e4c9d06a4292c104a792, id = f51c5ac3-ade9-4d01-b578-3473a2b116db, last_modified = 2021-09-16
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_27de1106 reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9a747f0fc7ccc55f24f2654344484f643103da709270a45de4c1174d8e4101cc, id = 27de1106-497d-40a0-8fc4-929f7a927628, last_modified = 2021-09-16
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5526.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.i686.elf PID: 5526, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal76.troj.linELF@0/0@0/0
Source: yakuza.i686.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crt1.S
Source: yakuza.i686.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crti.S
Source: yakuza.i686.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crtn.S
Source: yakuza.i686.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/mmap.S
Source: yakuza.i686.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/vfork.S
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1333/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1333/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1695/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1695/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/911/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/911/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/914/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/914/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/917/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/917/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/19/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/19/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1591/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1591/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1588/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1588/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/125/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/125/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/246/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/246/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/126/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/126/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/5/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/5/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/127/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/127/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/6/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/6/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1585/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/1585/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/128/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/128/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/7/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/7/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/129/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/129/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/8/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/8/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/800/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/800/cmdline
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/9/status
Source: /usr/bin/pkill (PID: 5681) File opened: /proc/9/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.i686.elf (PID: 5530) Shell command executed: sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5544) Shell command executed: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5549) Shell command executed: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5552) Shell command executed: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5557) Shell command executed: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5560) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5565) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5589) Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5594) Shell command executed: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5599) Shell command executed: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5602) Shell command executed: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5608) Shell command executed: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5611) Shell command executed: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5616) Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5619) Shell command executed: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.i686.elf (PID: 5624) Shell command executed: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
Source: /tmp/yakuza.i686.elf (PID: 5627) Shell command executed: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.i686.elf (PID: 5632) Shell command executed: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.i686.elf (PID: 5637) Shell command executed: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.i686.elf (PID: 5642) Shell command executed: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.i686.elf (PID: 5647) Shell command executed: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.i686.elf (PID: 5650) Shell command executed: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.i686.elf (PID: 5656) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.i686.elf (PID: 5659) Shell command executed: sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.i686.elf (PID: 5664) Shell command executed: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.i686.elf (PID: 5667) Shell command executed: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.i686.elf (PID: 5672) Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.i686.elf (PID: 5677) Shell command executed: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.i686.elf (PID: 5680) Shell command executed: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.i686.elf (PID: 5685) Shell command executed: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.i686.elf (PID: 5690) Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.i686.elf (PID: 5693) Shell command executed: sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.i686.elf (PID: 5699) Shell command executed: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.i686.elf (PID: 5702) Shell command executed: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.i686.elf (PID: 5707) Shell command executed: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.i686.elf (PID: 5712) Shell command executed: sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.i686.elf (PID: 5715) Shell command executed: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.i686.elf (PID: 5720) Shell command executed: sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.i686.elf (PID: 5725) Shell command executed: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.i686.elf (PID: 5730) Shell command executed: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.i686.elf (PID: 5735) Shell command executed: sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.i686.elf (PID: 5738) Shell command executed: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.i686.elf (PID: 5742) Shell command executed: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.i686.elf (PID: 5747) Shell command executed: sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5531) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 5545) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 5550) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 5553) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 5558) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 5561) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 5566) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 5590) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 5595) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 5600) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 5603) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 5609) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 5612) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 5617) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 5620) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids Jump to behavior
Source: /bin/sh (PID: 5625) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86
Source: /bin/sh (PID: 5628) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 5633) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 5638) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 5643) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 5648) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 5651) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 5657) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 5660) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 5665) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 5668) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 5673) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 5678) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 5681) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 5686) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 5691) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 5694) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 5700) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 5703) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 5708) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 5713) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 5716) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 5721) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 5726) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 5731) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 5736) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 5739) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 5743) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 5748) Pkill executable: /usr/bin/pkill -> pkill -9 ggt

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 45152 -> 5060
Source: unknown Network traffic detected: IRC traffic on port 45152 -> 5060
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5531) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5545) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5553) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5561) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5566) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5590) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5595) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5600) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5603) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5609) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5612) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5617) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5620) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5625) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5628) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5638) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5643) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5648) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5651) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5657) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5660) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5665) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5668) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5673) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5678) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5681) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5686) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5691) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5694) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5700) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5703) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5708) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5713) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5716) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5721) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5726) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5731) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5736) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5739) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5743) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5748) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/busybox (PID: 5543) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5546) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5551) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5556) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5559) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5564) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5588) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5593) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5596) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5601) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5604) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5610) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5615) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5618) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5621) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5626) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5631) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5636) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5641) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5644) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5649) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5652) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5658) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5663) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5666) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5671) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5674) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5679) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5684) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5687) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5692) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5696) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5701) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5706) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5709) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5714) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5717) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5724) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5729) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5732) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5737) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5740) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5746) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5749) Queries kernel information via 'uname':
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
175.212.122.144
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
3.236.91.65
 unknown United States
14618 AMAZON-AESUS false
84.115.174.131
 unknown Austria
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
223.36.198.228
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
78.51.49.110
 unknown Germany
6805 TDDE-ASN1DE false
62.210.240.209
 unknown France
12876 OnlineSASFR false
129.185.213.239
 unknown France
3215 FranceTelecom-OrangeFR false
219.215.133.103
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
205.253.193.144
 unknown India
55836 RELIANCEJIO-INRelianceJioInfocommLimitedIN false
169.25.164.63
 unknown United States
37611 AfrihostZA false
175.45.32.227
 unknown Hong Kong
9381 HKBNES-AS-APHKBNEnterpriseSolutionsHKLimitedHK false
168.56.238.186
 unknown United States
1761 TDIR-CAPNETUS false
137.236.175.53
 unknown Canada
27495 OPENTEXT-AS-NA-US1CA false
12.119.9.53
 unknown United States
7018 ATT-INTERNET4US false
74.112.207.39
 unknown United States
11288 IDMS101US false
251.67.176.35
 unknown Reserved
unknown unknown false
222.93.45.191
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
41.250.58.41
 unknown Morocco
36903 MT-MPLSMA false
47.144.153.181
 unknown United States
5650 FRONTIER-FRTRUS false
95.104.166.124
 unknown Russian Federation
29190 OVERTA-ASRU false
56.192.246.143
 unknown United States
2686 ATGS-MMD-ASUS false
178.130.55.72
 unknown Russian Federation
41691 SUMTEL-AS-RIPEMoscowRussiaRU false
100.194.0.93
 unknown United States
21928 T-MOBILE-AS21928US false
16.143.125.154
 unknown United States
71 HP-INTERNET-ASUS false
99.86.94.128
 unknown United States
16509 AMAZON-02US false
247.13.219.185
 unknown Reserved
unknown unknown false
50.94.187.30
 unknown United States
14654 WAYPORTUS false
13.236.43.108
 unknown United States
16509 AMAZON-02US false
254.47.172.194
 unknown Reserved
unknown unknown false
174.180.104.198
 unknown United States
7922 COMCAST-7922US false
122.26.84.169
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
32.194.251.98
 unknown United States
2686 ATGS-MMD-ASUS false
244.66.159.245
 unknown Reserved
unknown unknown false
167.198.155.203
 unknown United States
2897 GEORGIA-1US false
140.234.122.135
 unknown United States
6932 EBSCOPUBUS false
155.100.93.190
 unknown United States
17055 UTAHUS false
221.177.183.83
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
248.177.67.84
 unknown Reserved
unknown unknown false
167.77.154.156
 unknown United States
16821 DUQ-LIGHTUS false
167.27.217.101
 unknown United States
7838 USAAUS false
186.85.179.235
 unknown Colombia
10620 TelmexColombiaSACO false
189.105.19.58
 unknown Brazil
7738 TelemarNorteLesteSABR false
140.48.57.118
 unknown United States
668 DNIC-AS-00668US false
219.93.138.84
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
123.224.190.5
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
182.160.68.170
 unknown China
38805 CITINET-AS-MN-APSTXCitinetLeadingInternetVOIPService false
185.92.61.30
 unknown Netherlands
21315 ENGIE-SERVICES-SDONL false
190.92.204.176
 unknown Argentina
10986 DesarrollosDigitalesdePulsarConsultingAR false
207.248.139.241
 unknown Mexico
8151 UninetSAdeCVMX false
171.33.176.73
 unknown Germany
41998 NETCOMBW-ASDE false
217.173.86.230
 unknown Saudi Arabia
31699 BANK-AL-JAZIRA-ASSA false
84.128.219.173
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
250.82.209.113
 unknown Reserved
unknown unknown false
186.143.85.39
 unknown Argentina
11315 TelefonicaMovilesArgentinaSAMovistarArgentinaAR false
35.60.227.71
 unknown United States
36375 UMICH-AS-5US false
141.228.109.249
 unknown United Kingdom
12701 BARCAPLondonGB false
18.167.230.245
 unknown United States
16509 AMAZON-02US false
76.4.11.206
 unknown United States
18494 CENTURYLINK-LEGACY-EMBARQ-WRBGUS false
4.246.38.118
 unknown United States
3356 LEVEL3US false
120.173.149.213
 unknown Indonesia
4761 INDOSAT-INP-APINDOSATInternetNetworkProviderID false
193.61.227.220
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
208.213.34.229
 unknown United States
701 UUNETUS false
57.208.205.52
 unknown Belgium
2686 ATGS-MMD-ASUS false
194.43.25.142
 unknown United Kingdom
25400 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO false
76.246.216.54
 unknown United States
7018 ATT-INTERNET4US false
82.53.197.227
 unknown Italy
3269 ASN-IBSNAZIT false
45.37.82.27
 unknown United States
11426 TWC-11426-CAROLINASUS false
159.105.104.30
 unknown United States
11577 GOVNET-ASNUS false
27.107.87.120
 unknown India
45194 SIPL-ASSysconInfowayPvtLtdIN false
103.226.223.159
 unknown Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU false
112.233.244.112
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
167.177.165.185
 unknown United States
7800 ALLINA-HEALTH-SYSTEM-INCUS false
93.78.138.178
 unknown Ukraine
25229 VOLIA-ASUA false
61.111.94.226
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
183.138.12.95
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
35.49.49.219
 unknown United States
36375 UMICH-AS-5US false
36.184.170.84
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
132.45.77.54
 unknown United States
668 DNIC-AS-00668US false
62.246.52.13
 unknown Germany
12312 ECOTELDE false
249.51.220.245
 unknown Reserved
unknown unknown false
14.169.249.244
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
98.202.134.232
 unknown United States
7922 COMCAST-7922US false
65.139.106.239
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
86.28.35.177
 unknown United Kingdom
5089 NTLGB false
94.0.68.102
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
240.13.55.107
 unknown Reserved
unknown unknown false
195.154.190.2
 unknown France
12876 OnlineSASFR false
65.83.89.174
 unknown United States
6389 BELLSOUTH-NET-BLKUS false
116.182.222.251
 unknown China
137539 UNICOM-HARBIN-IDCChinaUnicomCN false
203.95.52.251
 unknown Japan 10010 TOKAITOKAICommunicationsCorporationJP false
133.161.220.199
 unknown Japan 385 AFCONC-BLOCK1-ASUS false
28.85.163.56
 unknown United States
7922 COMCAST-7922US false
59.46.166.206
 unknown China
134762 CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali false
146.16.92.157
 unknown United States
197938 TRAVIANGAMESDE false
94.158.29.134
 unknown Switzerland
197929 PRONET-COMBG false
99.216.240.223
 unknown Canada
812 ROGERS-COMMUNICATIONSCA false
194.132.63.64
 unknown Sweden
12552 IPO-EUSE false
191.76.42.45
 unknown Colombia
26611 COMCELSACO false
214.199.190.179
 unknown United States
721 DNIC-ASBLK-00721-00726US false
192.165.141.126
 unknown Sweden
9201 SWAFSwedishArmedForcesSE false