Linux Analysis Report
FgVMRcCJXn.elf

Overview

General Information

Sample name: FgVMRcCJXn.elf
renamed because original name is a hash value
Original sample name: 0c49099c4b3fe271beb912f0a1116ee9.elf
Analysis ID: 1428276
MD5: 0c49099c4b3fe271beb912f0a1116ee9
SHA1: 7476bf6f70808da386c15dc6146b08b630a6e6e9
SHA256: e4da40e9a08f169be4bc7dc9e27c939e1434a0d48a09bcb1dd8e32f0d0b3bae1
Tags: 32armelfmirai
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Sample tries to kill multiple processes (SIGKILL)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: FgVMRcCJXn.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: FgVMRcCJXn.elf ReversingLabs: Detection: 34%

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 152.42.220.29 ports 2,3,6,7,8,32876
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:58718 -> 152.42.220.29:32876
Source: global traffic UDP traffic: 192.168.2.23:8991 -> 45.224.4.83:30918
Source: global traffic UDP traffic: 192.168.2.23:57034 -> 177.221.123.223:6150
Source: global traffic UDP traffic: 192.168.2.23:52310 -> 45.239.240.127:63498
Source: global traffic UDP traffic: 192.168.2.23:33972 -> 138.99.32.91:5200
Source: global traffic UDP traffic: 192.168.2.23:37650 -> 170.247.21.162:22976
Source: global traffic UDP traffic: 192.168.2.23:47907 -> 143.137.12.231:12545
Sample listens on a socket
Source: /tmp/FgVMRcCJXn.elf (PID: 6252) Socket: 127.0.0.1::1234 Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6254) Socket: 0.0.0.0::23 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 192.3.165.37
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 143.137.12.231
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 177.221.123.223
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 170.247.21.162
Source: unknown UDP traffic detected without corresponding DNS query: 45.239.240.127
Source: unknown UDP traffic detected without corresponding DNS query: 138.99.32.91
Source: unknown UDP traffic detected without corresponding DNS query: 45.224.4.83
Source: unknown DNS traffic detected: queries for: monkeyfuck.gopher
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39256
Source: unknown Network traffic detected: HTTP traffic on port 39256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 912, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 918, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2018, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2077, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2078, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2079, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2080, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2083, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2084, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2114, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2156, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 4437, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6279, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6280, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6281, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6282, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6283, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6284, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6345, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6347, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 912, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 918, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2018, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2077, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2078, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2079, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2080, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2083, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2084, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2114, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 2156, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 4437, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6279, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6280, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6281, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6282, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6283, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6284, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6345, result: successful Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) SIGKILL sent: pid: 6347, result: successful Jump to behavior
Source: classification engine Classification label: mal64.spre.troj.linELF@0/0@1/0
Enumerates processes within the "proc" file system
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6234/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6234/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6234/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6235/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6235/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6235/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1582/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1582/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1582/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/3088/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/230/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/110/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/231/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/111/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/232/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1579/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1579/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1579/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/112/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/233/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1699/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1699/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1699/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/113/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/234/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1335/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1335/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1335/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1698/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1698/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1698/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/114/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/235/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1334/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1334/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1334/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1576/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1576/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1576/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2302/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2302/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2302/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/115/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/236/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/116/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/237/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/117/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/118/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/910/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/119/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/912/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/912/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/10/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2307/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2307/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2307/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/11/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/918/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/918/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/12/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/13/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/14/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/15/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/16/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/17/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/18/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1594/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1594/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1594/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/120/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/121/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1349/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1349/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1349/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/122/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/243/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/123/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/2/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/124/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/3/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/4/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/125/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/126/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1344/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1344/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1344/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1465/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1465/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1465/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1586/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1586/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1586/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/127/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/6/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/248/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/128/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/249/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1463/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1463/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/1463/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/800/maps Jump to behavior
Source: /tmp/FgVMRcCJXn.elf (PID: 6258) File opened: /proc/800/cmdline Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6285) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.AgkoQdQsxY /tmp/tmp.9O3Asy799c /tmp/tmp.kLgPHeHjJV Jump to behavior
Source: /usr/bin/dash (PID: 6286) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.AgkoQdQsxY /tmp/tmp.9O3Asy799c /tmp/tmp.kLgPHeHjJV Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/FgVMRcCJXn.elf (PID: 6252) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 6279) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 6280) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 6282) Queries kernel information via 'uname': Jump to behavior
Source: FgVMRcCJXn.elf, 6252.1.000055fa35921000.000055fa35a70000.rw-.sdmp, FgVMRcCJXn.elf, 6345.1.000055fa35921000.000055fa35a4f000.rw-.sdmp, FgVMRcCJXn.elf, 6347.1.000055fa35921000.000055fa35a4f000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: FgVMRcCJXn.elf, 6252.1.000055fa35921000.000055fa35a70000.rw-.sdmp, FgVMRcCJXn.elf, 6345.1.000055fa35921000.000055fa35a4f000.rw-.sdmp, FgVMRcCJXn.elf, 6347.1.000055fa35921000.000055fa35a4f000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: FgVMRcCJXn.elf, 6252.1.00007ffef088b000.00007ffef08ac000.rw-.sdmp, FgVMRcCJXn.elf, 6345.1.00007ffef088b000.00007ffef08ac000.rw-.sdmp, FgVMRcCJXn.elf, 6347.1.00007ffef088b000.00007ffef08ac000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: FgVMRcCJXn.elf, 6252.1.00007ffef088b000.00007ffef08ac000.rw-.sdmp, FgVMRcCJXn.elf, 6345.1.00007ffef088b000.00007ffef08ac000.rw-.sdmp, FgVMRcCJXn.elf, 6347.1.00007ffef088b000.00007ffef08ac000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/FgVMRcCJXn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FgVMRcCJXn.elf
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
170.247.21.162
 unknown Brazil
263324 NetComServicosdeInformaticaeTelecomunicacoesBR false
34.249.145.219
 unknown United States
16509 AMAZON-02US false
45.239.240.127
 unknown Brazil
268377 LOCALNETTELECOMLTDABR false
152.42.220.29
 monkeyfuck.gopher United States
81 NCRENUS true
138.99.32.91
 unknown Brazil
262582 NetsulInternetBandaLargaLTDABR false
143.137.12.231
 unknown Brazil
264024 WnetTelecomeInformaticaEIRELIBR false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false
45.224.4.83
 unknown Brazil
267646 PlusMultiplayerTVltdaBR false
177.221.123.223
 unknown Brazil
262789 SimternetTecnologiadaInformacaoLTDABR false

Contacted Domains

Name IP Active
monkeyfuck.gopher 152.42.220.29 true