Source: Kt28gy4sgm.elf |
ReversingLabs: Detection: 55% |
Source: Kt28gy4sgm.elf |
String: /proc//exe%s/%s/proc/%s/cmdlinewgetcurlnetstatgreppslsmvechokillbashrebootshutdownhaltpowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe//mnt/root/dev/null/dev/console/dev/watchdog/dev/misc/watchdog |
Source: global traffic |
TCP traffic: 192.168.2.23:60512 -> 104.168.45.11:7722 |
Source: /tmp/Kt28gy4sgm.elf (PID: 6225) |
Socket: 127.0.0.1::39123 |
Jump to behavior |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
DNS traffic detected: queries for: tcpdown.su |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 39248 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 39248 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: ELF static info symbol of initial sample |
Name: attack.c |
Source: ELF static info symbol of initial sample |
Name: attack_get_opt_int |
Source: ELF static info symbol of initial sample |
Name: attack_get_opt_ip |
Source: ELF static info symbol of initial sample |
Name: attack_gre.c |
Source: ELF static info symbol of initial sample |
Name: attack_gre_eth |
Source: ELF static info symbol of initial sample |
Name: attack_gre_ip |
Source: ELF static info symbol of initial sample |
Name: attack_init |
Source: ELF static info symbol of initial sample |
Name: attack_kill_all |
Source: ELF static info symbol of initial sample |
Name: attack_method_udprape |
Source: ELF static info symbol of initial sample |
Name: attack_ongoing |
Source: Kt28gy4sgm.elf |
ELF static info symbol of initial sample: __gnu_unwind_execute |
Source: classification engine |
Classification label: mal72.troj.evad.linELF@0/0@6/0 |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/11/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/22/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/33/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/66/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/111/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/222/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/333/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/777/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/888/cmdline |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6231) |
File opened: /proc/999/cmdline |
Jump to behavior |
Source: /usr/bin/dash (PID: 6294) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.0Yye5q8mNq /tmp/tmp.dgNBUU65IJ /tmp/tmp.swPyngJifa |
Jump to behavior |
Source: /usr/bin/dash (PID: 6295) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.0Yye5q8mNq /tmp/tmp.dgNBUU65IJ /tmp/tmp.swPyngJifa |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6225) |
File: /tmp/Kt28gy4sgm.elf |
Jump to behavior |
Source: /tmp/Kt28gy4sgm.elf (PID: 6225) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: Kt28gy4sgm.elf, 6264.1.0000559b620b3000.0000559b620d5000.rw-.sdmp |
Binary or memory string: vmware |
Source: Kt28gy4sgm.elf, 6225.1.0000559b61f85000.0000559b620d4000.rw-.sdmp, Kt28gy4sgm.elf, 6264.1.0000559b61f85000.0000559b620b3000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: Kt28gy4sgm.elf, 6264.1.0000559b620b3000.0000559b620d5000.rw-.sdmp |
Binary or memory string: $0vmware |
Source: Kt28gy4sgm.elf, 6225.1.0000559b61f85000.0000559b620d4000.rw-.sdmp, Kt28gy4sgm.elf, 6264.1.0000559b61f85000.0000559b620b3000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: Kt28gy4sgm.elf, 6225.1.00007ffdef016000.00007ffdef037000.rw-.sdmp, Kt28gy4sgm.elf, 6264.1.00007ffdef016000.00007ffdef037000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: Kt28gy4sgm.elf, 6225.1.00007ffdef016000.00007ffdef037000.rw-.sdmp, Kt28gy4sgm.elf, 6264.1.00007ffdef016000.00007ffdef037000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Kt28gy4sgm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Kt28gy4sgm.elf |
Source: Yara match |
File source: Kt28gy4sgm.elf, type: SAMPLE |
Source: Yara match |
File source: Kt28gy4sgm.elf, type: SAMPLE |