Linux Analysis Report
linux_arm6.elf

Overview

General Information

Sample name: linux_arm6.elf
Analysis ID: 1562730
MD5: d9550769629c39a2fd6a700cf40de770
SHA1: 790d6ef2dcbdc9d3c2f9cc1e2df8b5ba09d98673
SHA256: acfed07e3530a36f137ae03a2641a15451947356c8716e39634b0fea95f4607b
Tags: elfuser-abuse_ch
Infos:

Detection

Chaos
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Chaos
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Detected TCP or UDP traffic on non-standard ports
Drops files with innocent-looking names
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads CPU information from /sys indicative of miner or evasive malware
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sleeps for long times indicative of sandbox evasion
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes shell script file to disk with an unusual file extension
Writes shell script files to disk

Classification

Name Description Attribution Blogpost URLs Link
Chaos Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos
Reads CPU information from /sys indicative of miner or evasive malware
Source: /tmp/linux_arm6.elf (PID: 6261) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6369) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6758) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 103.135.101.78 ports 808,52462,2,4,5,6
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 48758 -> 808
Source: unknown Network traffic detected: HTTP traffic on port 808 -> 48758
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:40512 -> 103.135.101.78:52462
Reads the 'hosts' file potentially containing internal network hosts
Source: /tmp/linux_arm6.elf (PID: 6261) Reads hosts file: /etc/hosts Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /password.txt HTTP/1.1Host: 103.135.101.78:808User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromisedssh<<RMS>> equals www.yahoo.com (Yahoo)
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: tls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempts limit reached while verifying certificate chainMozilla/5.0 (compatible; MJ12bot/v1.4.0; http://www.majestic12.co.uk/bot.php?+)tls: client certificate private key of type %T does not implement crypto.SignerMozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html)crypto/rand: blocked for 60 seconds waiting to read random data from the kernel equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: aras.liveya.org
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://misc.yahoo.com.cn/help.html)crypto/rand:
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: dir.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.majestic12.co.uk/bot.php?
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: http://yandex.com/bots)http:
Source: dir.18.dr String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_arm6.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr, System.img.config.18.dr, libdlrpcld.so.18.dr, find.18.dr, ls.18.dr, id.services.conf.12.dr, dir.18.dr String found in binary or memory: https://www.so.com/s?q=index
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /usr/bin/pkill (PID: 6369) SIGKILL sent: pid: 6267, result: successful
Source: /usr/bin/pkill (PID: 6758) SIGKILL sent: pid: 6519, result: successful
Source: classification engine Classification label: mal76.spre.troj.evad.linELF@0/148@4/0
Source: ELF file section Submission: linux_arm6.elf
Source: ELF file section Dropped file: id.services.conf.12.dr
Source: ELF file section Dropped file: System.img.config.18.dr
Source: ELF file section Dropped file: bash_config.18.dr
Source: ELF file section Dropped file: libdlrpcld.so.18.dr
Source: ELF file section Dropped file: system-monitor.18.dr
Source: ELF file section Dropped file: ps.18.dr
Source: ELF file section Dropped file: ss.18.dr
Source: ELF file section Dropped file: ls.18.dr
Source: ELF file section Dropped file: dir.18.dr
Source: ELF file section Dropped file: netstat.18.dr
Source: ELF file section Dropped file: find.18.dr
Source: ELF file section Dropped file: lsof.18.dr

Persistence and Installation Behavior
barindex
Sample tries to persist itself using /etc/profile
Source: /tmp/linux_arm6.elf (PID: 6261) File: /etc/profile.d/bash_config.sh Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /etc/profile.d/bash_config Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/bash (PID: 6644) File: /etc/crontab
Sample tries to set files in /etc globally writable
Source: /tmp/linux_arm6.elf (PID: 6243) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6243) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes identical ELF files to multiple locations
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /etc/profile.d/bash_config Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/lsof Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/lib/system-monitor Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/lib/libdlrpcld.so Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/find Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /boot/System.img.config Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/dir Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6243) File with SHA-256 ACFED07E3530A36F137AE03A2641A15451947356C8716E39634B0FEA95F4607B written: /etc/id.services.conf Jump to dropped file
Creates hidden files and/or directories
Source: /tmp/linux_arm6.elf (PID: 6261) File: /dev/.old Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /dev/.img Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /.img Jump to behavior
Source: /etc/id.services.conf (PID: 6771) File: /dev/.old
Source: /etc/id.services.conf (PID: 6771) File: /dev/.img
Source: /boot/System.img.config (PID: 6520) File: /dev/.old
Source: /boot/System.img.config (PID: 6520) File: /dev/.img
Creates hidden files without content (potentially used as a mutex)
Source: /boot/System.img.config (PID: 6520) Empty hidden file: /dev/.old
Source: /boot/System.img.config (PID: 6520) Empty hidden file: /dev/.img
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1582/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1582/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/3088/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/3088/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/230/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/230/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/232/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/232/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1579/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1579/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1699/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1699/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1335/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1335/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1698/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1698/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1334/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1334/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1576/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1576/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/2302/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/2302/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/236/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/236/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/237/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/237/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/910/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/910/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6227/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6227/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6347/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6347/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/912/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/912/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6228/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6228/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/2307/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/2307/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/918/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/918/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6364/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6364/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1594/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1594/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6360/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/6360/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1349/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1349/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 6369) File opened: /proc/123/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/linux_arm6.elf (PID: 6250) Shell command executed: /bin/bash -c /etc/32678& Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6347) Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
Source: /tmp/linux_arm6.elf (PID: 6602) Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
Source: /usr/sbin/cron (PID: 6796) Shell command executed: /bin/sh -c "/.img "
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /boot/System.img.config (PID: 6369) Pkill executable: /usr/bin/pkill -> pkill -9 32678
Source: /etc/id.services.conf (PID: 6758) Pkill executable: /usr/bin/pkill -> pkill -9 32678
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 6256) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 6270) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 6288) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 6290) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6349) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6353) Systemctl executable: /usr/bin/systemctl -> systemctl enable linux.service
Source: /bin/bash (PID: 6360) Systemctl executable: /usr/bin/systemctl -> systemctl start linux.service
Source: /usr/sbin/service (PID: 6706) Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service
Source: /usr/sbin/service (PID: 6713) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6729) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /tmp/linux_arm6.elf (PID: 6745) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6768) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6776) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6782) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 6513) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6539) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6572) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Sample tries to set the executable flag
Source: /tmp/linux_arm6.elf (PID: 6243) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6243) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /boot/System.img.config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/lib/libdlrpcld.so (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/lib/system-monitor (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/ss (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/ls (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/dir (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/find (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/linux_arm6.elf (PID: 6243) File written: /etc/id.services.conf Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /boot/System.img.config Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /etc/profile.d/bash_config Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/lib/libdlrpcld.so Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/lib/system-monitor Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/dir Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/find Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File written: /usr/bin/lsof Jump to dropped file
Writes shell script file to disk with an unusual file extension
Source: /tmp/linux_arm6.elf (PID: 6243) Writes shell script file to disk with an unusual file extension: /etc/32678 Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Writes shell script file to disk with an unusual file extension: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Writes shell script file to disk with an unusual file extension: /.img Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh Jump to dropped file
Writes shell script files to disk
Source: /tmp/linux_arm6.elf (PID: 6261) Shell script file created: /etc/profile.d/bash_config.sh Jump to dropped file
Source: /usr/sbin/service (PID: 6289) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 6730) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6783) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6574) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/linux_arm6.elf (PID: 6261) File: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /etc/init.d/ssh Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/dir Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/find Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) File: /usr/bin/lsof Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 48758 -> 808
Source: unknown Network traffic detected: HTTP traffic on port 808 -> 48758
Drops files with innocent-looking names
Source: /tmp/linux_arm6.elf (PID: 6261) Path: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Path: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Path: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Path: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_arm6.elf (PID: 6261) Path: /usr/bin/lsof Jump to dropped file
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Source: /etc/32678 (PID: 6269) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 6526) Sleep executable: /usr/bin/sleep -> sleep 60
Source: /etc/32678 (PID: 6774) Sleep executable: /usr/bin/sleep -> sleep 60
Reads CPU information from /sys indicative of miner or evasive malware
Source: /tmp/linux_arm6.elf (PID: 6261) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6369) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6758) Reads CPU info from /sys: /sys/devices/system/cpu/online
Sleeps for long times indicative of sandbox evasion
Source: /usr/bin/sleep (PID: 6269) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 6526) Sleeps longer then 60s: 60.0s
Source: /usr/bin/sleep (PID: 6774) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 6735) Sleeps longer then 60s: 60.0s
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/linux_arm6.elf (PID: 6243) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6250) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/linux_arm6.elf (PID: 6261) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6347) Queries kernel information via 'uname':
Source: /bin/bash (PID: 6602) Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 6644) Queries kernel information via 'uname':
Source: /boot/System.img.config (PID: 6364) Queries kernel information via 'uname':
Source: /etc/id.services.conf (PID: 6753) Queries kernel information via 'uname':
Source: /etc/id.services.conf (PID: 6771) Queries kernel information via 'uname':
Source: /boot/System.img.config (PID: 6520) Queries kernel information via 'uname':
Source: id.services.conf, 6771.1.00005640db93b000.00005640dc05f000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt
Source: System.img.config, 6520.1.00005635918d9000.0000563591fff000.rw-.sdmp Binary or memory string: 5VGeneralName!/etc/qemu-binfmt/arm
Source: linux_arm6.elf, 6243.1.000055876f842000.000055876ff86000.rw-.sdmp, 32678, 6753.1.000055e687ab6000.000055e6881fd000.rw-.sdmp, id.services.conf, 6753.1.000055e687ab6000.000055e6881fd000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: linux_arm6.elf, 6243.1.00007ffd2208f000.00007ffd220b0000.rw-.sdmp Binary or memory string: \"c?x86_64/usr/bin/qemu-arm/tmp/linux_arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/linux_arm6.elf
Source: id.services.conf, 6771.1.00005640db93b000.00005640dc05f000.rw-.sdmp Binary or memory string: @Vrg.qemu.gdb.arm.sys.regs">
Source: System.img.config, 6520.1.00007ffe84701000.00007ffe84722000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/boot/System.img.config
Source: systemd, 6364.1.00007ffef2bf1000.00007ffef2c12000.rw-.sdmp, System.img.config, 6364.1.00007ffef2bf1000.00007ffef2c12000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/boot/System.img.configLANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binINVOCATION_ID=5f750bbba067487fbf889e50bdbe0604JOURNAL_STREAM=9:75405/boot/System.img.config
Source: linux_arm6.elf, 6243.1.000055876f842000.000055876ff86000.rw-.sdmp, systemd, 6364.1.000055c292e51000.000055c293598000.rw-.sdmp, System.img.config, 6364.1.000055c292e51000.000055c293598000.rw-.sdmp, 32678, 6753.1.000055e687ab6000.000055e6881fd000.rw-.sdmp, id.services.conf, 6753.1.000055e687ab6000.000055e6881fd000.rw-.sdmp Binary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: System.img.config, 6520.1.00005635918d9000.0000563591fff000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: System.img.config, 6520.1.00007ffe84701000.00007ffe84722000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: System.img.config, 6520.1.00005635918d9000.0000563591fff000.rw-.sdmp Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: id.services.conf, 6771.1.00007ffd9d577000.00007ffd9d598000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/etc/id.services.conf
Source: systemd, 6364.1.000055c292e51000.000055c293598000.rw-.sdmp, System.img.config, 6364.1.000055c292e51000.000055c293598000.rw-.sdmp Binary or memory string: UGeneralName!/etc/qemu-binfmt/arm
Source: System.img.config, 6520.1.00005635918d9000.0000563591fff000.rw-.sdmp Binary or memory string: 5Vrg.qemu.gdb.arm.sys.regs">
Source: 32678, 6753.1.00007ffe352f2000.00007ffe35313000.rw-.sdmp, id.services.conf, 6753.1.00007ffe352f2000.00007ffe35313000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/etc/id.services.confJOURNAL_STREAM=9:75405PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binINVOCATION_ID=5f750bbba067487fbf889e50bdbe0604LANG=en_US.UTF-8PWD=//etc/id.services.conf
Source: id.services.conf, 6771.1.00005640db93b000.00005640dc05f000.rw-.sdmp Binary or memory string: @V!/etc/qemu-binfmt/arm

Stealing of Sensitive Information
barindex
Yara detected Chaos
Source: Yara match File source: linux_arm6.elf, type: SAMPLE
Source: Yara match File source: /usr/bin/ss, type: DROPPED
Source: Yara match File source: /usr/bin/find, type: DROPPED
Source: Yara match File source: /usr/bin/dir, type: DROPPED
Source: Yara match File source: /etc/id.services.conf, type: DROPPED
Source: Yara match File source: /etc/profile.d/bash_config, type: DROPPED
Source: Yara match File source: /usr/bin/netstat, type: DROPPED
Source: Yara match File source: /usr/lib/system-monitor, type: DROPPED
Source: Yara match File source: /usr/bin/lsof, type: DROPPED
Source: Yara match File source: /usr/lib/libdlrpcld.so, type: DROPPED
Source: Yara match File source: /boot/System.img.config, type: DROPPED
Source: Yara match File source: /usr/bin/ps, type: DROPPED
Source: Yara match File source: /usr/bin/ls, type: DROPPED

Remote Access Functionality
barindex
Yara detected Chaos
Source: Yara match File source: linux_arm6.elf, type: SAMPLE
Source: Yara match File source: /usr/bin/ss, type: DROPPED
Source: Yara match File source: /usr/bin/find, type: DROPPED
Source: Yara match File source: /usr/bin/dir, type: DROPPED
Source: Yara match File source: /etc/id.services.conf, type: DROPPED
Source: Yara match File source: /etc/profile.d/bash_config, type: DROPPED
Source: Yara match File source: /usr/bin/netstat, type: DROPPED
Source: Yara match File source: /usr/lib/system-monitor, type: DROPPED
Source: Yara match File source: /usr/bin/lsof, type: DROPPED
Source: Yara match File source: /usr/lib/libdlrpcld.so, type: DROPPED
Source: Yara match File source: /boot/System.img.config, type: DROPPED
Source: Yara match File source: /usr/bin/ps, type: DROPPED
Source: Yara match File source: /usr/bin/ls, type: DROPPED

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.135.101.78
 aras.liveya.org Hong Kong
4842 TH-AS-APTianhaiInfoTechCN true
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
aras.liveya.org 103.135.101.78 true
www.google.com 142.250.181.100 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.135.101.78:808/password.txt true
  • Avira URL Cloud: safe
 unknown