Linux Analysis Report
sora.m68k.elf

Overview

General Information

Sample name: sora.m68k.elf
Analysis ID: 1561518
MD5: 76033ef22de05aad6f4f7c206b3c2e87
SHA1: a6de09de42f89d3ef3e1529f2055b6251c478a10
SHA256: 8cfd223050da144947a6811afef6fc688a746bc13795cf8329cfd9ca2fe93899
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: sora.m68k.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: sora.m68k.elf ReversingLabs: Detection: 71%
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:36620 -> 45.95.169.104:1312
Sample listens on a socket
Source: /tmp/sora.m68k.elf (PID: 5490) Socket: 0.0.0.0:0 Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) Socket: 0.0.0.0:0 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.169.104
Source: unknown TCP traffic detected without corresponding DNS query: 27.31.176.135
Source: unknown TCP traffic detected without corresponding DNS query: 245.208.216.135
Source: unknown TCP traffic detected without corresponding DNS query: 47.241.3.112
Source: unknown TCP traffic detected without corresponding DNS query: 16.143.87.250
Source: unknown TCP traffic detected without corresponding DNS query: 31.251.28.84
Source: unknown TCP traffic detected without corresponding DNS query: 113.75.143.90
Source: unknown TCP traffic detected without corresponding DNS query: 241.62.20.225
Source: unknown TCP traffic detected without corresponding DNS query: 140.251.103.166
Source: unknown TCP traffic detected without corresponding DNS query: 157.230.147.235
Source: unknown TCP traffic detected without corresponding DNS query: 165.139.22.118
Source: unknown TCP traffic detected without corresponding DNS query: 216.177.87.92
Source: unknown TCP traffic detected without corresponding DNS query: 175.51.76.98
Source: unknown TCP traffic detected without corresponding DNS query: 148.49.18.139
Source: unknown TCP traffic detected without corresponding DNS query: 178.152.65.56
Source: unknown TCP traffic detected without corresponding DNS query: 209.23.42.234
Source: unknown TCP traffic detected without corresponding DNS query: 66.224.170.26
Source: unknown TCP traffic detected without corresponding DNS query: 77.17.138.110
Source: unknown TCP traffic detected without corresponding DNS query: 92.164.65.218
Source: unknown TCP traffic detected without corresponding DNS query: 117.52.250.251
Source: unknown TCP traffic detected without corresponding DNS query: 108.48.251.228
Source: unknown TCP traffic detected without corresponding DNS query: 79.137.205.30
Source: unknown TCP traffic detected without corresponding DNS query: 172.223.202.31
Source: unknown TCP traffic detected without corresponding DNS query: 23.24.254.129
Source: unknown TCP traffic detected without corresponding DNS query: 145.228.170.74
Source: unknown TCP traffic detected without corresponding DNS query: 41.192.22.164
Source: unknown TCP traffic detected without corresponding DNS query: 109.41.30.76
Source: unknown TCP traffic detected without corresponding DNS query: 81.243.36.9
Source: unknown TCP traffic detected without corresponding DNS query: 42.104.94.147
Source: unknown TCP traffic detected without corresponding DNS query: 87.74.159.247
Source: unknown TCP traffic detected without corresponding DNS query: 39.153.51.227
Source: unknown TCP traffic detected without corresponding DNS query: 175.227.232.19
Source: unknown TCP traffic detected without corresponding DNS query: 130.191.150.113
Source: unknown TCP traffic detected without corresponding DNS query: 124.164.142.106
Source: unknown TCP traffic detected without corresponding DNS query: 162.164.65.243
Source: unknown TCP traffic detected without corresponding DNS query: 90.107.207.204
Source: unknown TCP traffic detected without corresponding DNS query: 90.240.57.204
Source: unknown TCP traffic detected without corresponding DNS query: 142.84.162.126
Source: unknown TCP traffic detected without corresponding DNS query: 125.191.162.86
Source: unknown TCP traffic detected without corresponding DNS query: 163.34.19.183
Source: unknown TCP traffic detected without corresponding DNS query: 169.101.29.215
Source: unknown TCP traffic detected without corresponding DNS query: 42.241.78.45
Source: unknown TCP traffic detected without corresponding DNS query: 114.154.111.168
Source: unknown TCP traffic detected without corresponding DNS query: 192.115.65.25
Source: unknown TCP traffic detected without corresponding DNS query: 84.103.167.211
Source: unknown TCP traffic detected without corresponding DNS query: 109.248.244.62
Source: unknown TCP traffic detected without corresponding DNS query: 221.12.176.222
Source: unknown TCP traffic detected without corresponding DNS query: 36.21.20.66
Source: unknown TCP traffic detected without corresponding DNS query: 119.156.173.98
Source: unknown TCP traffic detected without corresponding DNS query: 31.168.152.32
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sora.m68k.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: sora.m68k.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5629.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5629.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5611.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5611.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5490.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5490.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5502.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5502.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5491.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5491.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5612.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5612.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5602.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5602.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5488.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5488.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5490, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5490, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5491, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5491, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5611, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5611, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5629, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: sora.m68k.elf PID: 5629, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/sora.m68k.elf (PID: 5490) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) SIGKILL sent: pid: 936, result: successful Jump to behavior
Yara signature match
Source: sora.m68k.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: sora.m68k.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5629.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5629.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5611.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5611.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5490.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5490.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5502.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5502.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5491.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5491.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5612.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5612.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5602.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5602.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5488.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5488.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5490, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5490, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5491, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5491, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5611, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5611, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5629, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: sora.m68k.elf PID: 5629, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engine Classification label: mal72.troj.linELF@0/0@4/0
Enumerates processes within the "proc" file system
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/490/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/790/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/792/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/793/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/795/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/797/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/778/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/855/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/914/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/936/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/816/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/917/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/780/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/660/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/1/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/783/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/884/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/765/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/800/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/767/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/802/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/726/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/803/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5496) File opened: /proc/727/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/490/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/790/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/792/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/793/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/795/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/797/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/778/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/855/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/914/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/936/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/816/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/917/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/780/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/660/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/1/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/783/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/884/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/765/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/800/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/767/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/802/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/726/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/803/fd Jump to behavior
Source: /tmp/sora.m68k.elf (PID: 5490) File opened: /proc/727/fd Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/sora.m68k.elf (PID: 5488) Queries kernel information via 'uname': Jump to behavior
Source: sora.m68k.elf, 5488.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5490.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5602.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5629.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5612.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5491.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5611.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5502.1.000055a3f6091000.000055a3f6116000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: sora.m68k.elf, 5488.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5490.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5602.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5629.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5612.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5491.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5611.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5502.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: sora.m68k.elf, 5488.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5490.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5602.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5629.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5612.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5491.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5611.1.000055a3f6091000.000055a3f6116000.rw-.sdmp, sora.m68k.elf, 5502.1.000055a3f6091000.000055a3f6116000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: sora.m68k.elf, 5488.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5490.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5602.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5629.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5612.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5491.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5611.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp, sora.m68k.elf, 5502.1.00007fffd5bf6000.00007fffd5c17000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/sora.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sora.m68k.elf

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: sora.m68k.elf, type: SAMPLE
Source: Yara match File source: 5629.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5611.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5490.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5502.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5491.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5612.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5602.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5488.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: sora.m68k.elf, type: SAMPLE
Source: Yara match File source: 5629.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5611.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5490.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5502.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5491.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5612.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5602.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5488.1.00007fc060001000.00007fc060011000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.146.188.54
 unknown United States
19956 TENNESSEE-NETUS false
121.238.137.187
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
2.22.60.225
 unknown European Union
12222 AKAMAIUS false
77.1.141.141
 unknown Germany
6805 TDDE-ASN1DE false
180.91.157.156
 unknown China
7497 CSTNET-AS-APComputerNetworkInformationCenterCN false
77.94.140.54
 unknown Slovenia
43061 SI-STELKOMSI false
114.103.95.159
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
159.250.190.151
 unknown United States
11776 ATLANTICBB-JOHNSTOWNUS false
77.118.198.243
 unknown Austria
8437 UTA-ASAT false
244.255.153.91
 unknown Reserved
unknown unknown false
58.58.128.92
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
134.245.99.20
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
176.163.247.68
 unknown France
5410 BOUYGTEL-ISPFR false
171.175.104.112
 unknown United States
9874 STARHUB-MOBILEStarHubLtdSG false
153.150.85.80
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
247.74.8.155
 unknown Reserved
unknown unknown false
170.26.92.114
 unknown United States
23410 NET-NASSAU-BOCESUS false
221.117.58.161
 unknown Japan 17506 UCOMARTERIANetworksCorporationJP false
45.30.40.134
 unknown United States
7018 ATT-INTERNET4US false
2.227.45.85
 unknown Italy
12874 FASTWEBIT false
74.214.134.169
 unknown Canada
36817 MCSNETCA false
216.241.99.90
 unknown United States
13649 ASN-VINSUS false
44.228.255.243
 unknown United States
16509 AMAZON-02US false
114.211.84.82
 unknown China
9595 XEPHIONNTT-MECorporationJP false
209.69.24.87
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
247.195.92.216
 unknown Reserved
unknown unknown false
85.21.105.83
 unknown Russian Federation
29125 TATINT-ASRU false
135.163.221.208
 unknown United States
14962 NCR-252US false
152.101.234.182
 unknown Hong Kong
4058 CITICTEL-CPC-AS4058CITICTelecomInternationalCPCLimited false
212.67.255.219
 unknown Austria
8412 TMARennweg97-99AT false
74.120.28.100
 unknown Puerto Rico
39963 IP-SOLUTIONSPR false
164.137.126.160
 unknown United Kingdom
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
193.55.15.41
 unknown France
2200 FR-RENATERReseauNationaldetelecommunicationspourlaTec false
100.185.97.124
 unknown United States
21928 T-MOBILE-AS21928US false
119.134.110.208
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
31.61.47.62
 unknown Poland
5617 TPNETPL false
151.111.130.179
 unknown United States
1998 STATE-OF-MNUS false
106.162.29.232
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
4.233.82.246
 unknown United States
3356 LEVEL3US false
122.2.207.118
 unknown Philippines
9299 IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH false
37.48.145.106
 unknown Syrian Arab Republic
29256 INT-PDN-STE-ASSTEPDNInternalASSY false
123.31.16.51
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
120.189.11.126
 unknown Indonesia
4761 INDOSAT-INP-APINDOSATInternetNetworkProviderID false
201.135.94.42
 unknown Mexico
8151 UninetSAdeCVMX false
156.97.30.191
 unknown Chile
393504 XNSTGCA false
105.3.120.245
 unknown South Africa
37168 CELL-CZA false
42.210.249.162
 unknown China
4249 LILLY-ASUS false
47.134.239.49
 unknown United States
20115 CHARTER-20115US false
57.28.196.7
 unknown Belgium
2686 ATGS-MMD-ASUS false
156.238.135.141
 unknown Seychelles
26484 IKGUL-26484US false
46.36.20.11
 unknown Russian Federation
48642 KTEL-ASEkaterinburgRussiaRU false
79.93.89.21
 unknown France
15557 LDCOMNETFR false
244.212.135.76
 unknown Reserved
unknown unknown false
207.197.66.125
 unknown United States
3851 NSHE-NEVADANETUS false
42.248.146.123
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
244.11.244.120
 unknown Reserved
unknown unknown false
175.243.11.171
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
99.79.220.130
 unknown United States
16509 AMAZON-02US false
161.221.92.123
 unknown United States
39960 BARNES-AND-NOBLEUS false
2.45.250.253
 unknown Italy
30722 VODAFONE-IT-ASNIT false
65.109.175.1
 unknown United States
11022 ALABANZA-BALTUS false
104.147.102.52
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
58.176.2.210
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK false
145.44.93.153
 unknown Netherlands
1103 SURFNET-NLSURFnetTheNetherlandsNL false
59.120.77.124
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
126.136.229.44
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
173.27.151.21
 unknown United States
30036 MEDIACOM-ENTERPRISE-BUSINESSUS false
216.193.85.252
 unknown United States
17184 ATL-CBEYONDUS false
53.160.110.83
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
61.195.128.63
 unknown Japan 10002 ICTIGAUENOCABLETELEVISIONCOLTDJP false
16.239.134.131
 unknown United States
unknown unknown false
167.195.0.8
 unknown United States
2897 GEORGIA-1US false
170.207.170.91
 unknown United States
17389 IHS-GROUPUS false
111.64.192.80
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
105.74.194.170
 unknown Morocco
36884 MAROCCONNECTMA false
109.116.112.103
 unknown Italy
30722 VODAFONE-IT-ASNIT false
217.142.102.78
 unknown Sweden
16253 BORDERLIGHT-ASVretgrand18SE false
105.71.24.42
 unknown Morocco
36884 MAROCCONNECTMA false
31.72.225.205
 unknown United Kingdom
12576 EELtdGB false
110.139.176.127
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID false
9.146.213.250
 unknown United States
3356 LEVEL3US false
105.188.238.190
 unknown Morocco
36925 ASMediMA false
141.134.38.101
 unknown Belgium
6848 TELENET-ASBE false
122.229.39.112
 unknown China
134771 CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince false
217.185.120.51
 unknown Germany
6805 TDDE-ASN1DE false
116.188.238.184
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
42.130.115.99
 unknown China
4249 LILLY-ASUS false
190.232.88.140
 unknown Peru
6147 TelefonicadelPeruSAAPE false
61.251.255.190
 unknown Korea Republic of
38096 QRIXNETNW-AS-KRQrixnowoncableIncKR false
254.255.219.103
 unknown Reserved
unknown unknown false
148.183.118.45
 unknown United States
11529 NGUS-ASUS false
123.1.151.72
 unknown Hong Kong
17444 NWT-AS-APASnumberforNewWorldTelephoneLtdHK false
93.13.237.0
 unknown France
15557 LDCOMNETFR false
59.5.195.229
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
180.234.214.222
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
159.255.198.9
 unknown Spain
15699 AS_ADAMAdamDatacenterES false
160.115.102.22
 unknown South Africa
6711 HUNGARNET-SZEGEDSzegedUniversityAssociationandHU false
192.70.163.58
 unknown United States
19102 PCI-TWUS false
104.169.241.47
 unknown United States
5650 FRONTIER-FRTRUS false
204.237.164.88
 unknown United States
1828 UNITASUS false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true