Linux Analysis Report
hYN45tzxwl.elf

Overview

General Information

Sample name: hYN45tzxwl.elf
renamed because original name is a hash value
Original sample name: 929e91d3194d76cebd75096e13f225be.elf
Analysis ID: 1427779
MD5: 929e91d3194d76cebd75096e13f225be
SHA1: 7de0149131e962e782b7904905b7688df3fcbbf4
SHA256: ed0784ef545e9667e5dca6ee56b0fd08abea68f3c2c85de757ceeab66f3d8ca4
Tags: 32armelfmirai
Infos:

Detection

Mirai
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: hYN45tzxwl.elf ReversingLabs: Detection: 34%
Source: hYN45tzxwl.elf Virustotal: Detection: 24% Perma Link

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56412
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56418
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56436
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56442
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56444
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56446
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56448
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56450
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56452
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32788
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32792
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32794
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32802
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32812
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33432
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33438
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33444
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33448
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33454
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33482
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33490
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52644
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52676
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52696
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52720
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52742
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52744
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52764
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52766
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52822
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52826
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52846
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52858
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43726
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52862
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55500
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43732
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52894
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55526
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52914
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43732
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55536
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52920
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55548
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52936
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55562
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52950
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52892
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55574
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52968
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52970
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52988
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52990
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43748
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52996
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 53012
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 53024
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55590
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55660
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43032
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43046
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43084
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43090
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43100
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54988
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55000
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55022
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43112
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55036
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43168
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43190
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55056
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55126
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55190
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:37300 -> 87.120.84.160:1312
Sample listens on a socket
Source: /tmp/hYN45tzxwl.elf (PID: 6213) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) Socket: 0.0.0.0::0 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.160
Source: unknown TCP traffic detected without corresponding DNS query: 142.205.247.101
Source: unknown TCP traffic detected without corresponding DNS query: 248.170.148.101
Source: unknown TCP traffic detected without corresponding DNS query: 213.152.76.184
Source: unknown TCP traffic detected without corresponding DNS query: 37.177.214.13
Source: unknown TCP traffic detected without corresponding DNS query: 87.227.91.100
Source: unknown TCP traffic detected without corresponding DNS query: 179.124.121.72
Source: unknown TCP traffic detected without corresponding DNS query: 17.201.81.200
Source: unknown TCP traffic detected without corresponding DNS query: 120.94.189.142
Source: unknown TCP traffic detected without corresponding DNS query: 1.253.50.25
Source: unknown TCP traffic detected without corresponding DNS query: 116.146.219.165
Source: unknown TCP traffic detected without corresponding DNS query: 223.151.106.185
Source: unknown TCP traffic detected without corresponding DNS query: 153.182.106.50
Source: unknown TCP traffic detected without corresponding DNS query: 19.22.81.24
Source: unknown TCP traffic detected without corresponding DNS query: 190.213.78.102
Source: unknown TCP traffic detected without corresponding DNS query: 117.167.38.43
Source: unknown TCP traffic detected without corresponding DNS query: 66.99.150.107
Source: unknown TCP traffic detected without corresponding DNS query: 35.123.249.49
Source: unknown TCP traffic detected without corresponding DNS query: 80.48.228.221
Source: unknown TCP traffic detected without corresponding DNS query: 175.163.131.193
Source: unknown TCP traffic detected without corresponding DNS query: 219.93.246.84
Source: unknown TCP traffic detected without corresponding DNS query: 109.230.252.35
Source: unknown TCP traffic detected without corresponding DNS query: 248.167.235.123
Source: unknown TCP traffic detected without corresponding DNS query: 93.124.220.83
Source: unknown TCP traffic detected without corresponding DNS query: 73.7.9.229
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.69.37
Source: unknown TCP traffic detected without corresponding DNS query: 253.53.50.252
Source: unknown TCP traffic detected without corresponding DNS query: 241.183.51.132
Source: unknown TCP traffic detected without corresponding DNS query: 202.32.4.188
Source: unknown TCP traffic detected without corresponding DNS query: 157.63.222.66
Source: unknown TCP traffic detected without corresponding DNS query: 246.126.249.205
Source: unknown TCP traffic detected without corresponding DNS query: 13.217.42.36
Source: unknown TCP traffic detected without corresponding DNS query: 20.14.231.98
Source: unknown TCP traffic detected without corresponding DNS query: 20.84.109.25
Source: unknown TCP traffic detected without corresponding DNS query: 180.90.74.178
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.137.173
Source: unknown TCP traffic detected without corresponding DNS query: 208.161.161.198
Source: unknown TCP traffic detected without corresponding DNS query: 98.13.243.124
Source: unknown TCP traffic detected without corresponding DNS query: 249.215.130.1
Source: unknown TCP traffic detected without corresponding DNS query: 85.8.24.74
Source: unknown TCP traffic detected without corresponding DNS query: 18.124.67.15
Source: unknown TCP traffic detected without corresponding DNS query: 251.243.241.183
Source: unknown TCP traffic detected without corresponding DNS query: 140.215.95.134
Source: unknown TCP traffic detected without corresponding DNS query: 245.153.13.245
Source: unknown TCP traffic detected without corresponding DNS query: 103.31.168.253
Source: unknown TCP traffic detected without corresponding DNS query: 156.94.223.12
Source: unknown TCP traffic detected without corresponding DNS query: 249.71.11.248
Source: unknown TCP traffic detected without corresponding DNS query: 76.75.235.167
Source: unknown TCP traffic detected without corresponding DNS query: 146.117.102.226
Source: hYN45tzxwl.elf String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39360
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 39360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6213.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6213.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6355.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6355.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6346.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6346.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6365.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6365.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6220.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6220.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6215.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6215.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6211.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6211.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6347.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6347.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6211, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6211, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6213, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6213, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6215, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6215, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6220, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6346, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6346, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6347, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6347, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6355, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6355, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6365, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hYN45tzxwl.elf PID: 6365, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Sample tries to kill a process (SIGKILL)
Source: /tmp/hYN45tzxwl.elf (PID: 6213) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) SIGKILL sent: pid: 936, result: successful Jump to behavior
Yara signature match
Source: 6213.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6213.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6355.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6355.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6346.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6346.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6365.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6365.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6220.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6220.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6215.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6215.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6211.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6211.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6347.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6347.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6211, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6211, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6213, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6213, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6215, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6215, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6220, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6346, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6346, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6347, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6347, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6355, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6355, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6365, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hYN45tzxwl.elf PID: 6365, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engine Classification label: mal80.troj.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Enumerates processes within the "proc" file system
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/491/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/793/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/772/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/796/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/774/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/797/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/777/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/799/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/658/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/912/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/759/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/936/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/918/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/1/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/761/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/785/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/884/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/720/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/721/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/788/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/789/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/800/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/801/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/847/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6213) File opened: /proc/904/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/491/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/793/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/772/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/796/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/774/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/797/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/777/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/799/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/658/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/912/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/759/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/936/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/918/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/1/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/761/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/785/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/884/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/720/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/721/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/788/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/789/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/800/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/801/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/847/fd Jump to behavior
Source: /tmp/hYN45tzxwl.elf (PID: 6219) File opened: /proc/904/fd Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6285) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ilw0M71Rok /tmp/tmp.TveOx7I7MP /tmp/tmp.7G1hODqGZH Jump to behavior
Source: /usr/bin/dash (PID: 6286) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ilw0M71Rok /tmp/tmp.TveOx7I7MP /tmp/tmp.7G1hODqGZH Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56412
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56418
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56436
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56442
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56444
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56446
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56448
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56450
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56452
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32788
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32792
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32794
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32802
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 32812
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33432
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33438
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33444
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33448
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33454
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33482
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33490
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52644
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52676
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52696
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52720
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52742
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52744
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52764
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52766
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52822
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52826
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52846
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52858
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43726
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52862
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55500
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43732
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52894
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55526
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52914
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43732
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55536
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52920
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55548
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52936
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55562
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52950
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52892
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55574
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52968
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52970
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52988
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52990
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43748
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52996
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 53012
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 53024
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55590
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55660
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43032
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43046
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43084
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43090
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43100
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54988
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55000
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55022
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43112
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55036
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43168
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 43190
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55056
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55126
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 55190
ELF contains segments with high entropy indicating compressed/encrypted content
Source: hYN45tzxwl.elf Submission file: segment LOAD with 7.9551 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/hYN45tzxwl.elf (PID: 6211) Queries kernel information via 'uname': Jump to behavior
Source: hYN45tzxwl.elf, 6211.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6213.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6347.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6365.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6355.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6215.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6346.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6220.1.000055ecb1172000.000055ecb1340000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: hYN45tzxwl.elf, 6211.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6213.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6347.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6365.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6355.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6215.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6346.1.000055ecb1172000.000055ecb1340000.rw-.sdmp, hYN45tzxwl.elf, 6220.1.000055ecb1172000.000055ecb1340000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: hYN45tzxwl.elf, 6211.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6213.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6347.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6365.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6355.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6215.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6346.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6220.1.00007ffde5901000.00007ffde5922000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: hYN45tzxwl.elf, 6211.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6213.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6347.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6365.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6355.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6215.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6346.1.00007ffde5901000.00007ffde5922000.rw-.sdmp, hYN45tzxwl.elf, 6220.1.00007ffde5901000.00007ffde5922000.rw-.sdmp Binary or memory string: Q]etx86_64/usr/bin/qemu-arm/tmp/hYN45tzxwl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hYN45tzxwl.elf

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 6213.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6355.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6346.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6365.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6220.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6215.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6211.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6347.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 6213.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6355.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6346.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6365.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6220.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6215.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6211.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6347.1.00007ff494017000.00007ff49402b000.r-x.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.9.48.101
 unknown Italy
1267 ASN-WINDTREIUNETEU false
149.203.162.90
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
62.74.130.45
 unknown Greece
12361 PANAFONET-ASAthensGreeceGR false
44.26.173.88
 unknown United States
63069 SURELINEUS false
47.206.5.168
 unknown United States
5650 FRONTIER-FRTRUS false
91.54.170.135
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
252.30.40.49
 unknown Reserved
unknown unknown false
157.145.44.96
 unknown United States
719 ELISA-ASHelsinkiFinlandEU false
253.85.228.152
 unknown Reserved
unknown unknown false
32.118.185.4
 unknown United States
7018 ATT-INTERNET4US false
216.45.32.126
 unknown United States
31877 GPWUS false
27.214.161.188
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
185.188.72.128
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
213.216.152.90
 unknown United Kingdom
1273 CWVodafoneGroupPLCEU false
63.184.206.213
 unknown United States
1239 SPRINTLINKUS false
4.121.110.26
 unknown United States
3356 LEVEL3US false
176.19.198.230
 unknown Saudi Arabia
35819 MOBILY-ASEtihadEtisalatCompanyMobilySA false
251.191.142.203
 unknown Reserved
unknown unknown false
103.112.183.210
 unknown Japan 17511 OPTAGEOPTAGEIncJP false
77.164.103.29
 unknown Netherlands
1136 KPNKPNNationalEU false
156.197.112.155
 unknown Egypt
8452 TE-ASTE-ASEG false
71.120.196.90
 unknown United States
701 UUNETUS false
255.11.160.130
 unknown Reserved
unknown unknown false
83.191.157.237
 unknown Sweden
39651 COMHEM-SWEDENSE false
79.248.129.38
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
46.28.163.131
 unknown Spain
199312 MEGAVISTAES false
54.2.96.56
 unknown United States
14618 AMAZON-AESUS false
154.93.171.8
 unknown Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK false
82.186.81.116
 unknown Italy
3269 ASN-IBSNAZIT false
44.33.186.35
 unknown United States
7377 UCSDUS false
72.97.194.207
 unknown United States
22394 CELLCOUS false
185.69.33.50
 unknown Netherlands
196826 PL-NETTELEKOM-ASNPL false
185.166.97.74
 unknown Switzerland
8758 IWAYCH false
38.96.31.4
 unknown United States
174 COGENT-174US false
73.66.231.135
 unknown United States
7922 COMCAST-7922US false
58.34.15.244
 unknown China
4812 CHINANET-SH-APChinaTelecomGroupCN false
209.164.214.146
 unknown United States
15048 METLIFE-ASNUS false
201.30.209.150
 unknown Brazil
4230 CLAROSABR false
83.175.0.14
 unknown Italy
12353 VODAFONE-PTVodafonePortugalPT false
198.144.126.33
 unknown United States
54829 NYITXUS false
186.183.51.189
 unknown Argentina
28114 AlphaTelSAAR false
252.248.97.241
 unknown Reserved
unknown unknown false
88.189.158.75
 unknown France
12322 PROXADFR false
113.181.0.185
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
195.209.42.191
 unknown Russian Federation
12722 RECONNRU false
248.221.112.37
 unknown Reserved
unknown unknown false
48.223.143.12
 unknown United States
2686 ATGS-MMD-ASUS false
167.101.142.117
 unknown United States
394671 HCAS-1US false
38.197.168.200
 unknown United States
174 COGENT-174US false
161.160.195.235
 unknown United States
263740 CorporacionLaceibanetsocietyHN false
200.140.90.133
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
211.166.104.55
 unknown China
9389 UNSPECIFIEDBEIJINGSHENZHOUGREATWALLCOMMUNICATIONCN false
179.128.81.62
 unknown Brazil
26599 TELEFONICABRASILSABR false
68.86.132.31
 unknown United States
7922 COMCAST-7922US false
60.98.116.233
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
158.43.234.239
 unknown United Kingdom
702 UUNETUS false
57.22.4.22
 unknown Belgium
2686 ATGS-MMD-ASUS false
99.187.43.131
 unknown United States
7018 ATT-INTERNET4US false
170.117.154.58
 unknown United States
394632 CMCUS false
171.36.68.128
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
36.222.177.66
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
44.17.33.176
 unknown United States
7377 UCSDUS false
19.79.228.200
 unknown United States
3 MIT-GATEWAYSUS false
19.73.206.181
 unknown United States
3 MIT-GATEWAYSUS false
181.184.66.205
 unknown Venezuela
262210 VIETTELPERUSACPE false
177.96.35.40
 unknown Brazil
18881 TELEFONICABRASILSABR false
164.208.232.102
 unknown United States
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
68.204.245.89
 unknown United States
33363 BHN-33363US false
32.173.232.235
 unknown United States
2686 ATGS-MMD-ASUS false
199.3.5.113
 unknown United States
1239 SPRINTLINKUS false
206.208.210.89
 unknown United States
23177 TNB-NETUS false
69.84.168.132
 unknown United States
6362 MIDLANDCOLLEGE-ASNUS false
126.230.58.244
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
254.9.72.26
 unknown Reserved
unknown unknown false
59.43.155.201
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
185.156.249.147
 unknown Spain
202676 PRIINETES false
88.192.229.148
 unknown Finland
1759 TSF-IP-CORETeliaFinlandOyjEU false
118.69.102.211
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo false
192.208.101.68
 unknown United States
1659 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC false
17.179.11.133
 unknown United States
714 APPLE-ENGINEERINGUS false
209.50.158.238
 unknown United States
6169 CLOUD-42-6169US false
250.178.107.178
 unknown Reserved
unknown unknown false
117.90.112.209
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
203.204.166.223
 unknown Taiwan; Republic of China (ROC)
9416 MULTIMEDIA-AS-APHoshinMultimediaCenterIncTW false
13.236.232.134
 unknown United States
16509 AMAZON-02US false
163.4.152.122
 unknown United States
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
217.215.135.132
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
71.197.119.93
 unknown United States
7922 COMCAST-7922US false
187.188.81.16
 unknown Mexico
22884 TOTALPLAYTELECOMUNICACIONESSADECVMX false
23.177.43.84
 unknown Reserved
33491 COMCAST-33491US false
185.96.90.169
 unknown Denmark
24800 BORNFIBERDK false
154.39.145.20
 unknown United States
174 COGENT-174US false
58.189.208.100
 unknown Japan 17511 OPTAGEOPTAGEIncJP false
99.79.220.122
 unknown United States
16509 AMAZON-02US false
91.186.75.82
 unknown Norway
56828 NORWEGIANHEALTHNETWORKNO false
166.120.215.93
 unknown Australia
9547 STGEORGE-AU-APStGeorgeBankLimitedAU false
200.95.138.233
 unknown Mexico
8151 UninetSAdeCVMX false
58.121.130.115
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
120.37.0.152
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
8.218.15.223
 unknown Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false