Click to jump to signature section
Source: global traffic | TCP traffic: 193.35.18.127 ports 19286,1,2,6,8,9 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 54.247.62.1 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.35.18.127 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/noneAccept: */*Accept-Encoding: identityHost: motd.ubuntu.comConnection: Keep-Alive |
Source: 3UPhJmQfMS.elf, 5427.1.0000000008048000.0000000008079000.r-x.sdmp | String found in binary or memory: http://code.google.com/appengine; |
Source: 3UPhJmQfMS.elf, 5427.1.0000000008048000.0000000008079000.r-x.sdmp | String found in binary or memory: http://majestic12.co.uk/bot.php? |
Source: 3UPhJmQfMS.elf, 5427.1.0000000008048000.0000000008079000.r-x.sdmp | String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/) |
Source: 3UPhJmQfMS.elf, 5426.1.0000000008048000.0000000008079000.r-x.sdmp, 3UPhJmQfMS.elf, 5427.1.0000000008048000.0000000008079000.r-x.sdmp | String found in binary or memory: http://www.brandwatch.net) |
Source: 3UPhJmQfMS.elf, 5427.1.0000000008048000.0000000008079000.r-x.sdmp | String found in binary or memory: http://www.majestic12.co.uk/bot.php? |
Source: 3UPhJmQfMS.elf, 5426.1.0000000008048000.0000000008079000.r-x.sdmp, 3UPhJmQfMS.elf, 5427.1.0000000008048000.0000000008079000.r-x.sdmp | String found in binary or memory: http://www.mojeek.com/bot.html) |
Source: unknown | Network traffic detected: HTTP traffic on port 37688 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 37688 |
Source: unknown | Network traffic detected: HTTP traffic on port 57214 -> 443 |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_122ff2e6 Author: unknown |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_fa48b592 Author: unknown |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_122ff2e6 Author: unknown |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_fa48b592 Author: unknown |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5426, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5426, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5427, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5427, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown |
Source: LOAD without section mappings | Program segment: 0x8048000 |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_122ff2e6 reference_sample = c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348, id = 122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80, last_modified = 2021-09-16 |
Source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_fa48b592 reference_sample = c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88, id = fa48b592-8d80-45af-a3e4-232695b8f5dd, last_modified = 2021-09-16 |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_122ff2e6 reference_sample = c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348, id = 122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80, last_modified = 2021-09-16 |
Source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Trojan_Mirai_fa48b592 reference_sample = c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88, id = fa48b592-8d80-45af-a3e4-232695b8f5dd, last_modified = 2021-09-16 |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5426, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5426, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5427, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Process Memory Space: 3UPhJmQfMS.elf PID: 5427, type: MEMORYSTR | Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16 |
Source: classification engine | Classification label: mal84.spre.troj.linELF@0/0@2/0 |
Source: /usr/bin/dash (PID: 5466) | Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ealSxqo2Xg /tmp/tmp.HCC54RocfC /tmp/tmp.03p31RU5X2 | Jump to behavior |
Source: /usr/bin/dash (PID: 5475) | Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.ealSxqo2Xg /tmp/tmp.HCC54RocfC /tmp/tmp.03p31RU5X2 | Jump to behavior |
Source: Yara match | File source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3UPhJmQfMS.elf PID: 5426, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: 3UPhJmQfMS.elf PID: 5427, type: MEMORYSTR |
Source: Yara match | File source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: 5427.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: 5426.1.0000000008048000.0000000008079000.r-x.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 3UPhJmQfMS.elf PID: 5426, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: 3UPhJmQfMS.elf PID: 5427, type: MEMORYSTR |