Source: 3OcPSlVa7n.elf |
ReversingLabs: Detection: 55% |
Source: 3OcPSlVa7n.elf |
Virustotal: Detection: 56% |
Perma Link |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:39932 -> 120.193.217.226:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:42004 -> 120.193.217.226:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:40516 -> 125.168.207.100:23 |
Source: Traffic |
Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.13:49684 -> 200.54.251.113:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:36470 -> 149.210.61.204:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:41072 -> 125.168.207.100:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:55874 -> 123.25.238.188:23 |
Source: Traffic |
Snort IDS: 2023452 ET TROJAN Possible Linux.Mirai Login Attempt (Zte521) 192.168.2.13:50054 -> 200.54.251.113:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:55002 -> 41.63.244.11:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:57630 -> 125.66.29.3:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:51560 -> 83.170.207.226:23 |
Source: Traffic |
Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.13:51524 -> 200.54.251.113:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:51524 -> 200.54.251.113:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:58354 -> 125.66.29.3:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:54514 -> 111.221.176.81:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:47254 -> 195.226.224.177:23 |
Source: Traffic |
Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:46372 -> 186.130.107.251:23 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51876 |
Source: global traffic |
TCP traffic: 192.168.2.13:38458 -> 91.92.250.136:11025 |
Source: /tmp/3OcPSlVa7n.elf (PID: 5452) |
Socket: 0.0.0.0::23 |
Jump to behavior |
Source: unknown |
TCP traffic detected without corresponding DNS query: 133.190.215.89 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 180.136.44.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 38.201.48.89 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.251.166.59 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 202.11.229.128 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 216.216.242.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.50.184.208 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 75.85.212.186 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.223.32.215 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.238.250.19 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 96.161.98.30 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 71.62.180.89 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 32.123.11.231 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 126.63.62.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 150.151.122.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 41.87.116.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 143.85.239.10 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.217.199.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.182.60.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.163.237.212 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 88.40.9.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 153.126.133.252 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.157.184.210 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 153.60.213.35 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.135.188.171 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.119.227.240 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.92.72.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.62.173.44 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 12.108.6.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.226.70.37 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 82.68.120.108 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.154.119.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 44.112.217.199 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 223.107.175.237 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 132.223.109.91 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 86.232.88.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 202.153.86.255 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 161.158.56.230 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 213.14.196.77 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 164.204.180.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.35.17.21 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 129.142.137.168 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.58.233.230 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 115.73.197.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.145.206.118 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 220.128.100.84 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 100.160.184.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 60.214.253.132 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 61.199.67.255 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 144.198.91.76 |
Source: unknown |
DNS traffic detected: queries for: daisy.ubuntu.com |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal76.troj.linELF@0/0@2/0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51876 |
Source: /tmp/3OcPSlVa7n.elf (PID: 5445) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: 3OcPSlVa7n.elf, 5445.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-sh4 |
Source: 3OcPSlVa7n.elf, 5445.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.0000556f2723c000.0000556f2729f000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/sh4 |
Source: 3OcPSlVa7n.elf, 5445.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp |
Binary or memory string: Vx86_64/usr/bin/qemu-sh4/tmp/3OcPSlVa7n.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/3OcPSlVa7n.elf |
Source: 3OcPSlVa7n.elf, 5445.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.0000556f2723c000.0000556f2729f000.rw-.sdmp |
Binary or memory string: #'oU5!/etc/qemu-binfmt/sh4 |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Traffic |
Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) |
Source: Traffic |
Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (Zte521) |
Source: Traffic |
Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511) |
Source: Traffic |
Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) |
Source: Traffic |
Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (Zte521) |
Source: Traffic |
Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511) |
Source: Yara match |
File source: dump.pcap, type: PCAP |