| Source: bot.arm6.elf |
ReversingLabs: Detection: 60% |
| Source: bot.arm6.elf |
String: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f |
| Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
| Source: bot.arm6.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: 5524.1.00007f545c017000.00007f545c036000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: Process Memory Space: bot.arm6.elf PID: 5524, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: Initial sample |
String containing 'busybox' found: busybox |
| Source: Initial sample |
String containing 'busybox' found: /bin/busybox |
| Source: Initial sample |
String containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurlbusybox/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f |
| Source: ELF static info symbol of initial sample |
.symtab present: no |
| Source: bot.arm6.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: 5524.1.00007f545c017000.00007f545c036000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: Process Memory Space: bot.arm6.elf PID: 5524, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: classification engine |
Classification label: mal88.troj.linELF@0/0@2/0 |
| Source: /tmp/bot.arm6.elf (PID: 5524) |
Queries kernel information via 'uname': |
Jump to behavior |
| Source: bot.arm6.elf, 5524.1.0000555b46ab5000.0000555b46be3000.rw-.sdmp |
Binary or memory string: F[U!/etc/qemu-binfmt/arm |
| Source: bot.arm6.elf, 5524.1.00007fffddcc5000.00007fffddce6000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/bot.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bot.arm6.elf |
| Source: bot.arm6.elf, 5524.1.0000555b46ab5000.0000555b46be3000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
| Source: bot.arm6.elf, 5524.1.00007fffddcc5000.00007fffddce6000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
| Source: bot.arm6.elf, 5524.1.00007fffddcc5000.00007fffddce6000.rw-.sdmp |
Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped |
| Source: Yara match |
File source: bot.arm6.elf, type: SAMPLE |
| Source: Yara match |
File source: 5524.1.00007f545c017000.00007f545c036000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: bot.arm6.elf PID: 5524, type: MEMORYSTR |
| Source: Yara match |
File source: bot.arm6.elf, type: SAMPLE |
| Source: Yara match |
File source: 5524.1.00007f545c017000.00007f545c036000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: bot.arm6.elf PID: 5524, type: MEMORYSTR |
| Source: Yara match |
File source: bot.arm6.elf, type: SAMPLE |
| Source: Yara match |
File source: 5524.1.00007f545c017000.00007f545c036000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: bot.arm6.elf PID: 5524, type: MEMORYSTR |
| Source: Yara match |
File source: bot.arm6.elf, type: SAMPLE |
| Source: Yara match |
File source: 5524.1.00007f545c017000.00007f545c036000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: bot.arm6.elf PID: 5524, type: MEMORYSTR |
