Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
bot.x86_64.elf

Overview

General Information

Sample Name:bot.x86_64.elf
Analysis ID:1352210
MD5:91cf7c980da45a97653904fe8da5334b
SHA1:3db48bf9036d5a4882a1958260b83f956c911cb7
SHA256:bb81e6a77d5b49c90be0d8616c0b58f85890668482512c8d567c9dcb0adadc04
Infos:

Detection

Mirai
Score:96
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Detected Mirai
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Machine Learning detection for sample
Connects to many ports of the same IP (likely port scanning)
Yara signature match
Sample has stripped symbol table
Found strings indicative of a multi-platform dropper
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Joe Sandbox Version:38.0.0 Ammolite
Analysis ID:1352210
Start date and time:2023-12-02 19:45:14 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:bot.x86_64.elf
Detection:MAL
Classification:mal96.troj.linELF@0/0@21/0
Command:/tmp/bot.x86_64.elf
PID:5494
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
bot.x86_64.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
    bot.x86_64.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x163c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x163dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x163f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1642c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1647c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x164a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x164b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x164cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x164e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x164f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1651c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    bot.x86_64.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
    • 0xcc10:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
    bot.x86_64.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
    • 0xd3df:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
    bot.x86_64.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
    • 0x9f06:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    • 0xf2f0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    Click to see the 11 entries
    SourceRuleDescriptionAuthorStrings
    5494.1.0000000000400000.0000000000419000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
      5494.1.0000000000400000.0000000000419000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x163c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x163dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x163f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1642c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1647c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x164a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x164b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x164cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x164e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x164f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1651c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      5494.1.0000000000400000.0000000000419000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
      • 0xcc10:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
      5494.1.0000000000400000.0000000000419000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
      • 0xd3df:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
      5494.1.0000000000400000.0000000000419000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
      • 0x9f06:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      • 0xf2f0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      Click to see the 13 entries
      Timestamp:192.168.2.1445.142.182.9535218439572030490 12/02/23-19:46:56.357195
      SID:2030490
      Source Port:35218
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535228439572030490 12/02/23-19:47:23.735122
      SID:2030490
      Source Port:35228
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535198439572030490 12/02/23-19:46:05.606499
      SID:2030490
      Source Port:35198
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535216439572030490 12/02/23-19:46:48.882722
      SID:2030490
      Source Port:35216
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535206439572030490 12/02/23-19:46:26.501103
      SID:2030490
      Source Port:35206
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535214439572030490 12/02/23-19:46:44.406725
      SID:2030490
      Source Port:35214
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535224439572030490 12/02/23-19:47:10.780577
      SID:2030490
      Source Port:35224
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.2345.142.182.9539044439572030490 12/02/23-19:45:49.870680
      SID:2030490
      Source Port:39044
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535226439572030490 12/02/23-19:47:21.260190
      SID:2030490
      Source Port:35226
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535236439572030490 12/02/23-19:47:54.641375
      SID:2030490
      Source Port:35236
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535204439572030490 12/02/23-19:46:23.024928
      SID:2030490
      Source Port:35204
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535210439572030490 12/02/23-19:46:33.453722
      SID:2030490
      Source Port:35210
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535220439572030490 12/02/23-19:46:58.831615
      SID:2030490
      Source Port:35220
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535232439572030490 12/02/23-19:47:35.688620
      SID:2030490
      Source Port:35232
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:45.142.182.95192.168.2.2343957390442030489 12/02/23-19:47:44.921599
      SID:2030489
      Source Port:43957
      Destination Port:39044
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535212439572030490 12/02/23-19:46:41.929620
      SID:2030490
      Source Port:35212
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535230439572030490 12/02/23-19:47:30.210203
      SID:2030490
      Source Port:35230
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535234439572030490 12/02/23-19:47:46.168228
      SID:2030490
      Source Port:35234
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535202439572030490 12/02/23-19:46:19.554567
      SID:2030490
      Source Port:35202
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535196439572030490 12/02/23-19:45:55.135725
      SID:2030490
      Source Port:35196
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535222439572030490 12/02/23-19:47:04.308097
      SID:2030490
      Source Port:35222
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535200439572030490 12/02/23-19:46:15.078790
      SID:2030490
      Source Port:35200
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.1445.142.182.9535208439572030490 12/02/23-19:46:28.979158
      SID:2030490
      Source Port:35208
      Destination Port:43957
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: bot.x86_64.elfAvira: detected
      Source: bot.x86_64.elfReversingLabs: Detection: 64%
      Source: bot.x86_64.elfVirustotal: Detection: 52%Perma Link
      Source: bot.x86_64.elfJoe Sandbox ML: detected
      Source: bot.x86_64.elfString: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

      Networking

      barindex
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:39044 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 45.142.182.95:43957 -> 192.168.2.23:39044
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35196 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35198 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35200 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35202 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35204 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35206 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35208 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35210 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35212 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35214 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35216 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35218 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35220 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35222 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35224 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35226 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35228 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35230 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35232 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35234 -> 45.142.182.95:43957
      Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:35236 -> 45.142.182.95:43957
      Source: global trafficTCP traffic: 45.142.182.95 ports 43957,3,4,5,7,9
      Source: global trafficTCP traffic: 192.168.2.14:35196 -> 45.142.182.95:43957
      Source: unknownDNS traffic detected: queries for: botnet.shoprbx.com

      System Summary

      barindex
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1e0c5ce0 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
      Source: Process Memory Space: bot.x86_64.elf PID: 5494, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
      Source: bot.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1e0c5ce0 reference_sample = 5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8e45538b59f9c9b8bc49661069044900c8199e487714c715c1b1f970fd528e3b, id = 1e0c5ce0-3b76-4da4-8bed-2e5036b6ce79, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
      Source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
      Source: Process Memory Space: bot.x86_64.elf PID: 5494, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: Initial sampleString containing 'busybox' found: /bin/busybox
      Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f
      Source: classification engineClassification label: mal96.troj.linELF@0/0@21/0
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1583/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/2672/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/110/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/111/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/112/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/113/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/234/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1577/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/114/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/235/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/115/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/116/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/117/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/118/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/119/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/10/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/917/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/11/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/12/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/13/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/14/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/15/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/16/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3770/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/17/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3771/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/18/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3772/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/19/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1593/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/240/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/120/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3094/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/121/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/242/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3406/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/122/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/243/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/2/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/123/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/244/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1589/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/124/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/245/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1588/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/125/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/4/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/246/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3402/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/126/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/5/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/247/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/127/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/6/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/248/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/128/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/7/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/249/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/8/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/129/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/800/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/9/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/801/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/803/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/20/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/806/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/21/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/807/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/928/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/22/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/23/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/24/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/25/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/26/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/27/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/28/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/29/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3420/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/490/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/250/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/130/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/251/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/131/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/252/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/132/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/253/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/254/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/255/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/135/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/256/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1599/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/257/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/378/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/258/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3412/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/259/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/3773/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/30/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/35/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/1371/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/260/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/261/cmdlineJump to behavior
      Source: /tmp/bot.x86_64.elf (PID: 5496)File opened: /proc/262/cmdlineJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
      Source: Yara matchFile source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: bot.x86_64.elf PID: 5494, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: bot.x86_64.elf, type: SAMPLE
      Source: Yara matchFile source: 5494.1.0000000000400000.0000000000419000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: bot.x86_64.elf PID: 5494, type: MEMORYSTR
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
      Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checki