Linux Analysis Report
fbot.spc.elf

Overview

General Information

Sample name:	fbot.spc.elf
Analysis ID:	1562718
MD5:	cb004bcacd887ec0617eaa7329be980b
SHA1:	a917a4a0b9fb68f14546de579d90994bc2148e4a
SHA256:	380368a262b62b3b1da8d0b0ad480b9c484a33f20837fda48fd6e7da281696c0
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Moobot

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Moobot

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fbot.spc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: fbot.spc.elf

ReversingLabs: Detection: 65%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.15:54576 -> 212.224.107.142:1999

Source: unknown	TCP traffic detected without corresponding DNS query: 212.224.107.142
Source: unknown	TCP traffic detected without corresponding DNS query: 61.51.100.71
Source: unknown	TCP traffic detected without corresponding DNS query: 223.208.164.64
Source: unknown	TCP traffic detected without corresponding DNS query: 98.92.24.71
Source: unknown	TCP traffic detected without corresponding DNS query: 45.224.130.184
Source: unknown	TCP traffic detected without corresponding DNS query: 88.93.80.248
Source: unknown	TCP traffic detected without corresponding DNS query: 167.129.184.40
Source: unknown	TCP traffic detected without corresponding DNS query: 146.163.117.246
Source: unknown	TCP traffic detected without corresponding DNS query: 42.234.173.29
Source: unknown	TCP traffic detected without corresponding DNS query: 115.238.179.127
Source: unknown	TCP traffic detected without corresponding DNS query: 78.160.74.210
Source: unknown	TCP traffic detected without corresponding DNS query: 191.154.219.182
Source: unknown	TCP traffic detected without corresponding DNS query: 68.101.211.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.216.117.168
Source: unknown	TCP traffic detected without corresponding DNS query: 69.184.25.225
Source: unknown	TCP traffic detected without corresponding DNS query: 151.203.65.235
Source: unknown	TCP traffic detected without corresponding DNS query: 217.255.3.74
Source: unknown	TCP traffic detected without corresponding DNS query: 147.152.173.77
Source: unknown	TCP traffic detected without corresponding DNS query: 123.255.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 108.159.187.248
Source: unknown	TCP traffic detected without corresponding DNS query: 5.214.111.242
Source: unknown	TCP traffic detected without corresponding DNS query: 163.198.127.49
Source: unknown	TCP traffic detected without corresponding DNS query: 197.86.164.187
Source: unknown	TCP traffic detected without corresponding DNS query: 167.158.207.5
Source: unknown	TCP traffic detected without corresponding DNS query: 252.219.40.67
Source: unknown	TCP traffic detected without corresponding DNS query: 98.190.177.166
Source: unknown	TCP traffic detected without corresponding DNS query: 125.117.41.98
Source: unknown	TCP traffic detected without corresponding DNS query: 12.234.52.195
Source: unknown	TCP traffic detected without corresponding DNS query: 178.226.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 80.111.149.221
Source: unknown	TCP traffic detected without corresponding DNS query: 94.5.186.200
Source: unknown	TCP traffic detected without corresponding DNS query: 101.179.82.22
Source: unknown	TCP traffic detected without corresponding DNS query: 19.74.206.168
Source: unknown	TCP traffic detected without corresponding DNS query: 72.130.58.7
Source: unknown	TCP traffic detected without corresponding DNS query: 161.236.116.92
Source: unknown	TCP traffic detected without corresponding DNS query: 93.119.252.141
Source: unknown	TCP traffic detected without corresponding DNS query: 72.183.160.117
Source: unknown	TCP traffic detected without corresponding DNS query: 46.247.230.253
Source: unknown	TCP traffic detected without corresponding DNS query: 96.170.63.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.5.99.218
Source: unknown	TCP traffic detected without corresponding DNS query: 149.28.162.33
Source: unknown	TCP traffic detected without corresponding DNS query: 82.227.75.182
Source: unknown	TCP traffic detected without corresponding DNS query: 219.199.231.101
Source: unknown	TCP traffic detected without corresponding DNS query: 27.244.62.103
Source: unknown	TCP traffic detected without corresponding DNS query: 136.65.129.254
Source: unknown	TCP traffic detected without corresponding DNS query: 115.220.83.179
Source: unknown	TCP traffic detected without corresponding DNS query: 160.162.231.226
Source: unknown	TCP traffic detected without corresponding DNS query: 71.223.214.219
Source: unknown	TCP traffic detected without corresponding DNS query: 133.217.222.62
Source: unknown	TCP traffic detected without corresponding DNS query: 86.40.165.98

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@2/0

Enumerates processes within the "proc" file system

Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5784/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1185/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3241/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3483/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5817/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1732/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5819/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1730/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3235/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3234/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/515/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1617/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1615/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3255/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3253/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3252/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3251/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3250/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1623/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3249/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/764/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3368/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3246/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3488/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/766/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/888/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1509/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3800/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3801/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1867/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3802/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1514/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1634/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1875/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/654/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3379/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/655/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/656/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/657/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/779/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/658/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5678/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/418/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/419/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5834/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3275/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3274/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3273/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3394/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3272/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/782/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1762/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3027/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/789/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5842/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5846/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3702/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1660/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3044/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3440/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/793/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/794/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3316/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/674/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/796/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/675/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/676/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1498/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1497/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1496/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3157/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3278/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3399/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3799/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1659/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3332/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3210/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3298/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3055/cmdline	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/fbot.spc.elf (PID: 5832)

Queries kernel information via 'uname':

Jump to behavior

Source: fbot.spc.elf, 5832.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5835.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5841.1.000055a12a428000.000055a12a48d000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: fbot.spc.elf, 5832.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5835.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5841.1.000055a12a428000.000055a12a48d000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: fbot.spc.elf, 5832.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5835.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5841.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/fbot.spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/fbot.spc.elf
Source: fbot.spc.elf, 5832.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5835.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5841.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
94.57.15.175	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
209.217.2.33	unknown	United States	7258	CATALOG-AS7258US	false
176.216.90.227	unknown	Turkey	8386	KOCNETTR	false
27.214.27.141	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
95.92.78.199	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
95.15.25.195	unknown	Turkey	9121	TTNETTR	false
86.22.223.75	unknown	United Kingdom	5089	NTLGB	false
94.81.248.209	unknown	Italy	3269	ASN-IBSNAZIT	false
193.24.244.111	unknown	Poland	198036	NETSERVIS-ISPPL	false
37.255.2.55	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
66.206.239.244	unknown	Canada	23184	PERSONACA	false
80.218.83.156	unknown	Switzerland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
181.121.12.228	unknown	Paraguay	23201	TelecelSAPY	false
114.150.60.208	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
124.35.38.231	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
46.202.178.157	unknown	Ukraine	6877	AS6877UA	false
86.96.83.38	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
203.82.90.161	unknown	Malaysia	10030	CELCOMNET-APCelcomAxiataBerhadMY	false
102.254.127.171	unknown	South Africa	5713	SAIX-NETZA	false
145.126.59.73	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
109.134.208.117	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
62.163.253.216	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
168.121.22.68	unknown	Brazil	264390	MLMSANTOSINFOLTDABR	false
172.213.39.123	unknown	United States	18747	IFX18747US	false
246.63.104.182	unknown	Reserved	unknown	unknown	false
190.230.191.77	unknown	Argentina	7303	TelecomArgentinaSAAR	false
153.48.232.195	unknown	United States	1226	CTA-42-AS1226US	false
244.150.171.238	unknown	Reserved	unknown	unknown	false
120.147.132.30	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
246.0.35.98	unknown	Reserved	unknown	unknown	false
105.180.23.36	unknown	Egypt	37069	MOBINILEG	false
17.203.59.254	unknown	United States	714	APPLE-ENGINEERINGUS	false
203.54.41.81	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
213.181.241.178	unknown	Egypt	8524	eg-aucEG	false
161.190.23.31	unknown	Argentina	13474	BancodeGaliciayBuenosAiresAR	false
245.69.49.167	unknown	Reserved	unknown	unknown	false
5.183.213.155	unknown	France	37002	ReunicableRE	false
113.28.224.46	unknown	Hong Kong	4515	ERX-STARHKTLimitedHK	false
250.185.220.237	unknown	Reserved	unknown	unknown	false
135.192.237.216	unknown	United States	14962	NCR-252US	false
138.217.11.202	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
170.73.197.176	unknown	United States	16761	FEDMOG-ASN-01US	false
197.39.104.98	unknown	Egypt	8452	TE-ASTE-ASEG	false
223.179.249.214	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
75.94.191.169	unknown	United States	7029	WINDSTREAMUS	false
68.144.147.79	unknown	Canada	6327	SHAWCA	false
189.37.88.157	unknown	Brazil	16735	ALGARTELECOMSABR	false
79.31.255.25	unknown	Italy	3269	ASN-IBSNAZIT	false
35.131.196.214	unknown	United States	20115	CHARTER-20115US	false
87.68.104.186	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	false
124.195.143.160	unknown	Malaysia	37997	YTLCOMMS-MYYTLCommunicationsSdnBhdMY	false
34.95.211.8	unknown	United States	15169	GOOGLEUS	false
166.205.98.107	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
219.161.134.194	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
151.201.89.116	unknown	United States	701	UUNETUS	false
110.59.131.169	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
175.82.153.225	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
32.233.228.98	unknown	United States	2686	ATGS-MMD-ASUS	false
100.174.217.83	unknown	United States	21928	T-MOBILE-AS21928US	false
118.28.46.21	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
69.252.184.115	unknown	United States	7922	COMCAST-7922US	false
70.96.159.142	unknown	United States	7385	ALLSTREAMUS	false
161.78.204.231	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
207.62.171.212	unknown	United States	7960	CALPOLY-NET-ENSUS	false
85.51.224.165	unknown	Spain	12479	UNI2-ASES	false
27.134.103.128	unknown	Japan	10013	FBDCFreeBitCoLtdJP	false
14.85.105.161	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
241.202.210.230	unknown	Reserved	unknown	unknown	false
95.94.115.87	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
163.249.147.227	unknown	United States	5133	DNIC-ASBLK-05120-05376US	false
35.45.231.36	unknown	United States	36375	UMICH-AS-5US	false
251.141.100.51	unknown	Reserved	unknown	unknown	false
76.41.44.81	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
166.187.254.232	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
13.29.253.35	unknown	United States	26662	XEROX-WVUS	false
148.250.68.88	unknown	Mexico	6503	AxtelSABdeCVMX	false
142.213.31.242	unknown	Canada	11489	BACICA	false
241.4.156.117	unknown	Reserved	unknown	unknown	false
4.164.115.90	unknown	United States	3356	LEVEL3US	false
54.7.75.208	unknown	United States	14618	AMAZON-AESUS	false
167.135.191.216	unknown	United States	11404	AS-WAVE-1US	false
210.163.159.125	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
76.101.13.182	unknown	United States	7922	COMCAST-7922US	false
192.100.171.84	unknown	Honduras	263234	SECRETARIADEESTADOENELDESPACHODEFINANZASHN	false
159.122.199.18	unknown	United States	36351	SOFTLAYERUS	false
189.172.127.34	unknown	Mexico	8151	UninetSAdeCVMX	false
116.51.244.139	unknown	Singapore	17645	NTT-SG-APASN-NTTSINGAPOREPTELTDSG	false
107.53.177.144	unknown	United States	16567	NETRIX-16567US	false
41.140.93.186	unknown	Morocco	36903	MT-MPLSMA	false
172.91.179.181	unknown	United States	20001	TWC-20001-PACWESTUS	false
103.33.85.33	unknown	China	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
102.220.116.2	unknown	unknown	36926	CKL1-ASNKE	false
135.96.43.183	unknown	United States	18676	AVAYAUS	false
167.225.195.226	unknown	United States	1906	NORTHROP-GRUMMANUS	false
245.195.34.55	unknown	Reserved	unknown	unknown	false
196.165.216.97	unknown	South Africa	328065	Vast-Networks-ASZA	false
84.234.82.119	unknown	Denmark	16095	JAYNETSentiaDanmarkASDK	false
73.229.114.46	unknown	United States	7922	COMCAST-7922US	false
111.4.0.69	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
207.135.123.87	unknown	United States	6379	ALINKUS	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.24	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fbot.spc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: fbot.spc.elf

ReversingLabs: Detection: 65%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.15:54576 -> 212.224.107.142:1999

Source: unknown	TCP traffic detected without corresponding DNS query: 212.224.107.142
Source: unknown	TCP traffic detected without corresponding DNS query: 61.51.100.71
Source: unknown	TCP traffic detected without corresponding DNS query: 223.208.164.64
Source: unknown	TCP traffic detected without corresponding DNS query: 98.92.24.71
Source: unknown	TCP traffic detected without corresponding DNS query: 45.224.130.184
Source: unknown	TCP traffic detected without corresponding DNS query: 88.93.80.248
Source: unknown	TCP traffic detected without corresponding DNS query: 167.129.184.40
Source: unknown	TCP traffic detected without corresponding DNS query: 146.163.117.246
Source: unknown	TCP traffic detected without corresponding DNS query: 42.234.173.29
Source: unknown	TCP traffic detected without corresponding DNS query: 115.238.179.127
Source: unknown	TCP traffic detected without corresponding DNS query: 78.160.74.210
Source: unknown	TCP traffic detected without corresponding DNS query: 191.154.219.182
Source: unknown	TCP traffic detected without corresponding DNS query: 68.101.211.77
Source: unknown	TCP traffic detected without corresponding DNS query: 45.216.117.168
Source: unknown	TCP traffic detected without corresponding DNS query: 69.184.25.225
Source: unknown	TCP traffic detected without corresponding DNS query: 151.203.65.235
Source: unknown	TCP traffic detected without corresponding DNS query: 217.255.3.74
Source: unknown	TCP traffic detected without corresponding DNS query: 147.152.173.77
Source: unknown	TCP traffic detected without corresponding DNS query: 123.255.213.59
Source: unknown	TCP traffic detected without corresponding DNS query: 108.159.187.248
Source: unknown	TCP traffic detected without corresponding DNS query: 5.214.111.242
Source: unknown	TCP traffic detected without corresponding DNS query: 163.198.127.49
Source: unknown	TCP traffic detected without corresponding DNS query: 197.86.164.187
Source: unknown	TCP traffic detected without corresponding DNS query: 167.158.207.5
Source: unknown	TCP traffic detected without corresponding DNS query: 252.219.40.67
Source: unknown	TCP traffic detected without corresponding DNS query: 98.190.177.166
Source: unknown	TCP traffic detected without corresponding DNS query: 125.117.41.98
Source: unknown	TCP traffic detected without corresponding DNS query: 12.234.52.195
Source: unknown	TCP traffic detected without corresponding DNS query: 178.226.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 80.111.149.221
Source: unknown	TCP traffic detected without corresponding DNS query: 94.5.186.200
Source: unknown	TCP traffic detected without corresponding DNS query: 101.179.82.22
Source: unknown	TCP traffic detected without corresponding DNS query: 19.74.206.168
Source: unknown	TCP traffic detected without corresponding DNS query: 72.130.58.7
Source: unknown	TCP traffic detected without corresponding DNS query: 161.236.116.92
Source: unknown	TCP traffic detected without corresponding DNS query: 93.119.252.141
Source: unknown	TCP traffic detected without corresponding DNS query: 72.183.160.117
Source: unknown	TCP traffic detected without corresponding DNS query: 46.247.230.253
Source: unknown	TCP traffic detected without corresponding DNS query: 96.170.63.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.5.99.218
Source: unknown	TCP traffic detected without corresponding DNS query: 149.28.162.33
Source: unknown	TCP traffic detected without corresponding DNS query: 82.227.75.182
Source: unknown	TCP traffic detected without corresponding DNS query: 219.199.231.101
Source: unknown	TCP traffic detected without corresponding DNS query: 27.244.62.103
Source: unknown	TCP traffic detected without corresponding DNS query: 136.65.129.254
Source: unknown	TCP traffic detected without corresponding DNS query: 115.220.83.179
Source: unknown	TCP traffic detected without corresponding DNS query: 160.162.231.226
Source: unknown	TCP traffic detected without corresponding DNS query: 71.223.214.219
Source: unknown	TCP traffic detected without corresponding DNS query: 133.217.222.62
Source: unknown	TCP traffic detected without corresponding DNS query: 86.40.165.98

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: fbot.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@2/0

Enumerates processes within the "proc" file system

Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5784/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1185/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3241/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3483/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5817/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1732/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5819/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1730/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3235/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3234/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/515/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1617/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1615/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3255/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3253/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3252/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3251/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3250/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1623/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3249/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/764/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3368/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3246/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3488/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/766/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/888/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1509/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3800/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3801/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1867/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3802/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1514/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1634/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1875/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/654/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3379/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/655/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/656/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/657/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/779/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/658/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5678/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/418/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/419/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5834/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3275/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3274/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3273/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3394/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3272/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/782/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1762/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3027/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/789/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5842/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/5846/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3702/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1660/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3044/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3440/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/793/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/794/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3316/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/674/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/796/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/675/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/676/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1498/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1497/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1496/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3157/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3278/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3399/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3799/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/1659/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3332/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3210/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3298/cmdline	Jump to behavior
Source: /tmp/fbot.spc.elf (PID: 5840)	File opened: /proc/3055/cmdline	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/fbot.spc.elf (PID: 5832)

Queries kernel information via 'uname':

Jump to behavior

Source: fbot.spc.elf, 5832.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5835.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5841.1.000055a12a428000.000055a12a48d000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: fbot.spc.elf, 5832.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5835.1.000055a12a428000.000055a12a48d000.rw-.sdmp, fbot.spc.elf, 5841.1.000055a12a428000.000055a12a48d000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: fbot.spc.elf, 5832.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5835.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5841.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/fbot.spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/fbot.spc.elf
Source: fbot.spc.elf, 5832.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5835.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp, fbot.spc.elf, 5841.1.00007ffe6429c000.00007ffe642bd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

Yara detected Moobot

Source: Yara match	File source: fbot.spc.elf, type: SAMPLE
Source: Yara match	File source: 5835.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5841.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5832.1.00007f80ec011000.00007f80ec024000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5835, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fbot.spc.elf PID: 5841, type: MEMORYSTR

ID:	1562718
Product:	CloudBasic
Start time:	23:01:48
Start date:	25.11.2024
Sample:	fbot.spc.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	cb004bcacd887ec0617eaa7329be980b
SHA1:	a917a4a0b9fb68f14546de579d90994bc2148e4a
SHA256:	380368a262b62b3b1da8d0b0ad480b9c484a33f20837fda48fd6e7da281696c0
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
fbot.spc.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report fbot.spc.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
fbot.spc.elf

Malware Threat Intel
Provided by