Source: KxTpfpJzPK.elf |
ReversingLabs: Detection: 42% |
Source: unknown |
HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.14:37902 version: TLS 1.2 |
Source: |
DNS query: kovey.mezo-api.xyz |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.y9 f>366a0PV!E(C,:j5RDhy9 f15OOPV!a0EA@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.y9 f66a0PV!E(j5Dhy9 fjOOPV!a0EA&@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.y9 fvj66a0PV!E(C:j]5~Dhy9 fOmOOPV!a0EA/@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.y9 f66a0PV!E(]O9Q55+Dhy9 fJOOPV!a0EAF@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.z9 f_66a0PV!E(9[5Dhz9 f1bJJPV!a0E<@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.9 f66a0PV!E(:$C5s)d9 fOOPV!a0EAK@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.9 fFs66a0PV!E(u995Cd9 ftOOPV!a0EAU@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.9 f\66a0PV!E(:k5Dd9 fOOPV!a0EAZ@@ |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.9 f66a0PV!E(jl5d9 fCOOPV!a0EAn@@w |
Source: unknown |
DNS traffic detected: query: kovey.mezo-api.xyz.9 fpL66a0PV!E(f&:G5"2Bd9 f\OJJPV!a0E<eO@@uX |
Source: global traffic |
TCP traffic: 192.168.2.14:40928 -> 45.131.111.219:33966 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 54.171.230.55 |
Source: unknown |
DNS traffic detected: queries for: kovey.mezo-api.xyz |
Source: unknown |
Network traffic detected: HTTP traffic on port 37902 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 37902 |
Source: unknown |
HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.14:37902 version: TLS 1.2 |
Source: KxTpfpJzPK.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 5483.1.00007fa010017000.00007fa010027000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: KxTpfpJzPK.elf PID: 5483, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: KxTpfpJzPK.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 5483.1.00007fa010017000.00007fa010027000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: KxTpfpJzPK.elf PID: 5483, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: classification engine |
Classification label: mal84.troj.evad.linELF@0/1@11/0 |
Source: /usr/bin/dash (PID: 5500) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fBKTZpHhzr /tmp/tmp.UD7HFmTAD6 /tmp/tmp.j4pNbUEbNf |
Jump to behavior |
Source: /usr/bin/dash (PID: 5509) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fBKTZpHhzr /tmp/tmp.UD7HFmTAD6 /tmp/tmp.j4pNbUEbNf |
Jump to behavior |
Source: /tmp/KxTpfpJzPK.elf (PID: 5485) |
File: /tmp/KxTpfpJzPK.elf |
Jump to behavior |
Source: /tmp/KxTpfpJzPK.elf (PID: 5483) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: KxTpfpJzPK.elf, 5483.1.00007fff1cc95000.00007fff1ccb6000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/KxTpfpJzPK.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/KxTpfpJzPK.elf |
Source: KxTpfpJzPK.elf, 5483.1.000055c7d82ca000.000055c7d83f8000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: KxTpfpJzPK.elf, 5483.1.00007fff1cc95000.00007fff1ccb6000.rw-.sdmp |
Binary or memory string: U/tmp/qemu-open.XxdFfM:E |
Source: KxTpfpJzPK.elf, 5483.1.000055c7d82ca000.000055c7d83f8000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: KxTpfpJzPK.elf, 5483.1.00007fff1cc95000.00007fff1ccb6000.rw-.sdmp |
Binary or memory string: /tmp/qemu-open.XxdFfM |
Source: KxTpfpJzPK.elf, 5483.1.00007fff1cc95000.00007fff1ccb6000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: Yara match |
File source: KxTpfpJzPK.elf, type: SAMPLE |
Source: Yara match |
File source: 5483.1.00007fa010017000.00007fa010027000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: KxTpfpJzPK.elf, type: SAMPLE |
Source: Yara match |
File source: 5483.1.00007fa010017000.00007fa010027000.r-x.sdmp, type: MEMORY |