Linux Analysis Report
2V7qaSy0Jl.elf

Overview

General Information

Sample name: 2V7qaSy0Jl.elf
renamed because original name is a hash value
Original sample name: 4b15139d9470c06c80f03adc079299dc.elf
Analysis ID: 1430965
MD5: 4b15139d9470c06c80f03adc079299dc
SHA1: c5b21eb6f1b006e1453885ddf9f0008b5cd5bf68
SHA256: a9301a5114ab68806699349380c7d06da2ba1f1b10001d6f47442c3d3eca5399
Tags: 32elfmipsmirai
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Queries the IP of a very long domain name
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Connects to many different domains
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 2V7qaSy0Jl.elf Virustotal: Detection: 19% Perma Link
Source: 2V7qaSy0Jl.elf ReversingLabs: Detection: 13%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5531) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5537) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5544) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Found strings indicative of a multi-platform dropper
Source: 2V7qaSy0Jl.elf String: /proc/%s/exeself/proc/proc/%s/fd/%s%ssocket/proc//usr/bin//usr/sbin//usr/local/bin//usr/local/sbin//usr/lib//usr/lib64//etc//lib/systemd//usr/lib/systemd/usr/libexec//snap/snapd//snap/core//system/system/bin//hdisk//fhbak//factory_setting//mnt//dev/vdec/dev/fb1/home/hik/hicore/usr/local/nginx/sbin/nginx/dev/mem/fh//usr/syno//dev/adec/dev/fb3/SYSV00000000/dev/mmz_userdev/tmp/wd/onuProbe/app//var/Kylin/var/Challenge/usr/bin/pvalue_validation_server/opt/vyatta/sbin/ubnt-cfgd/init/usr/share//root/app//opt/VBox/CloudResetPwdUpdateAgent//usr/local/src/java//run/log/journal//usr/www/cgi-bin//web//htdocs//userfs/bin//config/dvr//opt/qcom/bin/pts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforpsPid=%d Path=%s%s/%s/tmp/var/mnt/root/boot/bin/sbin/home/dev/dev/null/dev/console/var/lib/docker/fd>

Networking
barindex
Queries the IP of a very long domain name
Source: unknown DNS traffic detected: query: siegheil.hiter.su.1(fa66a/PV!EH(]+25?1(fbNNPV!a/E@'@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.1(f66a/PV!EH(]c25@5?1(fNNPV!a/E@'@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.1(fc66a/PV!EH(]2_5/?1(f-NNPV!a/E@(@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.2(f66a/PV!EH(]2!51?2(fNNPV!a/E@(W@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.2(f]d66a/PV!EH(]25[?2(feJJPV!a/E<m@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.6(fBBBPV!a/E4@@o}J?[yr3`Nq%s9(fNNPV!a/.E@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.>(fZNNPV!a/E@@@R[%5,5siegheilhitersusC(fNN
Source: unknown DNS traffic detected: query: siegheil.hiter.su.C(fNNPV!a/E@@@[%5,5siegheilhitersusH(fGNN
Source: unknown DNS traffic detected: query: siegheil.hiter.su.H(fGNNPV!a/E@@@b[%5,5siegheilhitersusM(fJJ
Source: unknown DNS traffic detected: query: siegheil.hiter.su.M(fJJPV!a/E<@@R0FE\4N(f#66a
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.U(fUBBPV!a/E4@@o}J?[yr3`NqsU(fNNPV!a/.E@Q3@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.Z(fNNPV!a/E@U@@!5,kzadolfhitlersus_(faNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su._(faNNPV!a/E@W@@q5,'kzadolfhitlersusd(fNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.d(fNNPV!a/E@\@@um5,+kzadolfhitlersusi(fJJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.i(fJJPV!a/E<m@@Fi(f66a
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.p(fJNNPV!a/E@<t@@95,gkzadolfhitlersusu(fNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.u(fNNPV!a/E@?@@65,QGkzadolfhitlersusz(f1 NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.z(f1 NNPV!a/E@BB@@3V5,kzadolfhitlersus(f4NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f4NNPV!a/E@E@@0G5,*kzadolfhitlersus(fDJJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fDJJPV!a/E<W@sKyE 4@@pJ8PING(f8JJJPV.a/E<U@@F
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f&66a/PV!EH(0V5x(f'NNPV!a/E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fB66a/PV!EH(0$5(f'NNPV!a/E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fpT66a/PV!EH(/5(fVNNPV!a/E@Q@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f66a/PV!EH(A05(f'!NNPV!a/E@y@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f66a/PV!EH(r15(fJJPV!a/E<@@.F%n1(fQ66a/PV!E((.,"F%P(fXXPV!a/E
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(fP@66a/PV!EH(15/(fEANNPV!a/E@.@@+5,/sieg.eilhitersun(f66a/PV!EH(0T5>/(fNN
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(f66a/PV!EH(0T5>/(fNNPV!a/E@.@@95,/siegheilhitersun(fpC66a/PV!EH(1'59
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(fpC66a/PV!EH(1'59?/(fDNNPV!a/E@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(f^66a/PV!EH(/5/(fNNPV!a/E@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(fb66a/PV!EH(C15?/(f9dJJPV!a/E<.@@F_<
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(f'66a/PV!EH(0P5>f(fVVPV!a/EHd@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fq66a/PV!EH( 05Z@f(ftVVPV!a/EH@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(f{166a/PV!EH(%15Lf(f2VVPV!a/EH@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fk66a/PV!EH(F05_nof(fVVPV!a/EH@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fOG66a/PV!EH(/5t1f(fHJJPV!a/E<ol@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fk66a/PV!E((.,3;5a(fVVPV!a/EH.@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(f0\66a/PV!E((.,3;5a(f3]VVPV!a/EH]@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(f~66a/PV!E((9.,u3;56a(fVVPV!a/EH`@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fy66a/PV!E((H.,f3;5Na(fVVPV!a/EH@@
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fQ66a/PV!E((~.,03;5a(fSJJPV!a/E<@@.F"58$(fJJPV!a/E<@@iF"5
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fINNa/PV!E(@/H^3l5,Hjkzadolfhitlersus(fNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f7NNa/PV!E(@/HH3l5,jkzadolfhitlersus(f8NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(feNNa/PV!E(@#/HC3l5X,xjkzadolfhitlersus(fgNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fNNa/PV!E(@d/H3l5, Fjkzadolfhitlersus(fNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fENNa/PV!E(@/G3l5*,jkzadolfhitlersus(fXFJJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f66a/PV!EH(hb+m=5L(f?NNPV!a/E@ @@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f66a/PV!EH(h+mw=5ML(fINNPV!a/E@l@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fN66a/PV!EH(h,lQ=5&L(fPNNPV!a/E@@@
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 50
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:42666 -> 212.70.149.14:35342
Sample listens on a socket
Source: /tmp/2V7qaSy0Jl.elf (PID: 5461) Socket: 127.0.0.1::8345 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: sex.secure-cyber-security
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1 (init), result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 660, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 727, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 765, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 778, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 783, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 790, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 795, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1400, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1410, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1475, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1480, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1482, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1565, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1588, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1604, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1609, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1805, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2926, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2935, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2970, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2972, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2974, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3069, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3095, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3100, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3104, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3117, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3122, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3132, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3146, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3147, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3153, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3158, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3161, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3162, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3163, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3165, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3170, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3182, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3183, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3203, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3208, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3209, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3300, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3315, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3327, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3420, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3424, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3429, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3818, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5296, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5440, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5441, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5468, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5470, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5471, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5474, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5495, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5508, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5510, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5511, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5513, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5514, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5515, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5516, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5517, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5520, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5521, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5522, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5523, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5526, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5528, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5529, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5530, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5532, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5533, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5535, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5536, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5537, result: no such process Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5540, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5541, result: no such process Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5543, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5545, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5546, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5547, result: no such process Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5548, result: successful Jump to behavior
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: /proc/%s/exeself/proc/proc/%s/fd/%s%ssocket/proc//usr/bin//usr/sbin//usr/local/bin//usr/local/sbin//usr/lib//usr/lib64//etc//lib/systemd//usr/lib/systemd/usr/libexec//snap/snapd//snap/core//system/system/bin//hdisk//fhbak//factory_setting//mnt//dev/vdec/dev/fb1/home/hik/hicore/usr/local/nginx/sbin/nginx/dev/mem/fh//usr/syno//dev/adec/dev/fb3/SYSV00000000/dev/mmz_userdev/tmp/wd/onuProbe/app//var/Kylin/var/Challenge/usr/bin/pvalue_validation_server/opt/vyatta/sbin/ubnt-cfgd/init/usr/share//root/app//opt/VBox/CloudResetPwdUpdateAgent//usr/local/src/java//run/log/journal//usr/www/cgi-bin//web//htdocs//userfs/bin//config/dvr//opt/qcom/bin/pts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforpsPid=%d Path=%s%s/%s/tmp/var/mnt/root/boot/bin/sbin/home/dev/dev/null/dev/console/var/lib/docker/fd>
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1 (init), result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 660, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 727, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 765, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 778, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 783, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 790, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 795, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1400, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1410, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1475, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1480, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1482, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1565, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1588, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1604, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1609, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 1805, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2926, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2935, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2970, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2972, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 2974, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3069, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3095, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3100, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3104, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3117, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3122, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3132, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3146, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3147, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3153, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3158, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3161, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3162, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3163, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3165, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3170, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3182, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3183, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3203, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3208, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3209, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3300, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3315, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3327, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3420, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3424, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3429, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 3818, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5296, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5440, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5441, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5468, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5470, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5471, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5474, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5495, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5508, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5510, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5511, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5513, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5514, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5515, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5516, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5517, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5520, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5521, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5522, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5523, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5526, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5528, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5529, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5530, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5532, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5533, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5535, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5536, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5537, result: no such process Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5540, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5541, result: no such process Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5543, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5545, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5546, result: successful Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5547, result: no such process Jump to behavior
Source: /tmp/2V7qaSy0Jl.elf (PID: 5466) SIGKILL sent: pid: 5548, result: successful Jump to behavior
Source: classification engine Classification label: mal60.spre.troj.evad.linELF@0/0@73/0
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 5541) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5542) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 5531) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5534) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5537) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5544) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5547) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/2V7qaSy0Jl.elf (PID: 5461) File: /tmp/2V7qaSy0Jl.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 5540) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5545) Truncated file: /var/log/gpu-manager.log Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5531) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5537) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5544) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/2V7qaSy0Jl.elf (PID: 5461) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5508) Queries kernel information via 'uname': Jump to behavior
Source: 2V7qaSy0Jl.elf, 5471.1.000055f076c0f000.000055f076cb9000.rw-.sdmp Binary or memory string: U/mipsel/tmp/vmware-root_727-4290690966
Source: 2V7qaSy0Jl.elf, 5471.1.000055f076c0f000.000055f076cb9000.rw-.sdmp Binary or memory string: /mipsel/tmp/vmware-root_727-4290690966
Source: 2V7qaSy0Jl.elf, 5461.1.000055f076c0f000.000055f076cb9000.rw-.sdmp, 2V7qaSy0Jl.elf, 5468.1.000055f076c0f000.000055f076cb9000.rw-.sdmp, 2V7qaSy0Jl.elf, 5470.1.000055f076c0f000.000055f076cb9000.rw-.sdmp, 2V7qaSy0Jl.elf, 5471.1.000055f076c0f000.000055f076cb9000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: 2V7qaSy0Jl.elf, 5471.1.000055f076c0f000.000055f076cb9000.rw-.sdmp Binary or memory string: U1/tmp/vmware-root_727-4290690966
Source: 2V7qaSy0Jl.elf, 5471.1.00007f9944431000.00007f994443c000.rw-.sdmp Binary or memory string: vmware-root_727-4290690966
Source: 2V7qaSy0Jl.elf, 5471.1.00007f994443c000.00007f994443e000.rw-.sdmp Binary or memory string: /tmp/vmware-root_727-4290690966
Source: 2V7qaSy0Jl.elf, 5471.1.00007f9944431000.00007f994443c000.rw-.sdmp Binary or memory string: vmware-root_727-4290690966RG
Source: 2V7qaSy0Jl.elf, 5471.1.00007f994443c000.00007f994443e000.rw-.sdmp Binary or memory string: a/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovfa1/tmp/vmware-root_727-4290690966
Source: 2V7qaSy0Jl.elf, 5461.1.000055f076c0f000.000055f076cb9000.rw-.sdmp, 2V7qaSy0Jl.elf, 5468.1.000055f076c0f000.000055f076cb9000.rw-.sdmp, 2V7qaSy0Jl.elf, 5470.1.000055f076c0f000.000055f076cb9000.rw-.sdmp, 2V7qaSy0Jl.elf, 5471.1.000055f076c0f000.000055f076cb9000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: 2V7qaSy0Jl.elf, 5461.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp, 2V7qaSy0Jl.elf, 5468.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp, 2V7qaSy0Jl.elf, 5470.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp, 2V7qaSy0Jl.elf, 5471.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp Binary or memory string: cx86_64/usr/bin/qemu-mipsel/tmp/2V7qaSy0Jl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/2V7qaSy0Jl.elf
Source: 2V7qaSy0Jl.elf, 5461.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp, 2V7qaSy0Jl.elf, 5468.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp, 2V7qaSy0Jl.elf, 5470.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp, 2V7qaSy0Jl.elf, 5471.1.00007ffc9df90000.00007ffc9dfb1000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.70.149.14
 unknown Bulgaria
208410 INTERNET-HOSTINGBG false
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
sex.secure-cyber-security.(f{166a/PV!EH(%15Lf(f2VVPV!a/EH@@ unknown unknown
kz.adolfhitler.su.(f66a/PV!EH(A05(f'!NNPV!a/E@y@@ unknown unknown
siegheil.hiter.su.2(f]d66a/PV!EH(]25[?2(feJJPV!a/E<m@@ unknown unknown
kz.adolfhitler.su.i(fJJPV!a/E<m@@Fi(f66a unknown unknown
kz.adolfhitler.su.(f4NNPV!a/E@E@@0G5,*kzadolfhitlersus(fDJJ unknown unknown
siegheil.hiter.su.1(fa66a/PV!EH(]+25?1(fbNNPV!a/E@'@@ unknown unknown
sex.secure-cyber-security.(fQ66a/PV!E((~.,03;5a(fSJJPV!a/E<@@.F"58$(fJJPV!a/E<@@iF"5 unknown unknown
kz.adolfhitler.su.(f7NNa/PV!E(@/HH3l5,jkzadolfhitlersus(f8NN unknown unknown
kz.adolfhitler.su.(f66a/PV!EH(h+mw=5ML(fINNPV!a/E@l@@ unknown unknown
siegheil.hiter.su.1(fc66a/PV!EH(]2_5/?1(f-NNPV!a/E@(@@ unknown unknown
siegheil.hiter.su.H(fGNNPV!a/E@@@b[%5,5siegheilhitersusM(fJJ unknown unknown
kz.adolfhitler.su.(fINNa/PV!E(@/H^3l5,Hjkzadolfhitlersus(fNN unknown unknown
kz.adolfhitler.su.(feNNa/PV!E(@#/HC3l5X,xjkzadolfhitlersus(fgNN unknown unknown
sex.secure-cyber-security.(fy66a/PV!E((H.,f3;5Na(fVVPV!a/EH@@ unknown unknown
kz.adolfhitler.su._(faNNPV!a/E@W@@q5,'kzadolfhitlersusd(fNN unknown unknown
sex.secure-cyber-security.(fk66a/PV!EH(F05_nof(fVVPV!a/EH@@ unknown unknown
kz.adolfhitler.su.(fDJJPV!a/E<W@sKyE 4@@pJ8PING(f8JJJPV.a/E<U@@F unknown unknown
security.rebirth-network.su. unknown unknown
siegheil.hiter.su.M(fJJPV!a/E<@@R0FE\4N(f#66a unknown unknown
siegheil.hiter.su.(fP@66a/PV!EH(15/(fEANNPV!a/E@.@@+5,/sieg.eilhitersun(f66a/PV!EH(0T5>/(fNN unknown unknown
siegheil.hiter.su.2(f66a/PV!EH(]2!51?2(fNNPV!a/E@(W@@ unknown unknown
kz.adolfhitler.su.(fN66a/PV!EH(h,lQ=5&L(fPNNPV!a/E@@@ unknown unknown
sex.secure-cyber-security.(fOG66a/PV!EH(/5t1f(fHJJPV!a/E<ol@@ unknown unknown
kz.adolfhitler.su.(fB66a/PV!EH(0$5(f'NNPV!a/E@@@ unknown unknown
kz.adolfhitler.su.(fpT66a/PV!EH(/5(fVNNPV!a/E@Q@@ unknown unknown
kz.adolfhitler.su.Z(fNNPV!a/E@U@@!5,kzadolfhitlersus_(faNN unknown unknown
kz.adolfhitler.su.(fNNa/PV!E(@d/H3l5, Fjkzadolfhitlersus(fNN unknown unknown
sex.secure-cyber-security.(fk66a/PV!E((.,3;5a(fVVPV!a/EH.@@ unknown unknown
sex.secure-cyber-security.(f'66a/PV!EH(0P5>f(fVVPV!a/EHd@@ unknown unknown
sex.secure-cyber-security.(f0\66a/PV!E((.,3;5a(f3]VVPV!a/EH]@@ unknown unknown
sex.secure-cyber-security.(f~66a/PV!E((9.,u3;56a(fVVPV!a/EH`@@ unknown unknown
kz.adolfhitler.su.d(fNNPV!a/E@\@@um5,+kzadolfhitlersusi(fJJ unknown unknown
kz.adolfhitler.su.p(fJNNPV!a/E@<t@@95,gkzadolfhitlersusu(fNN unknown unknown
kz.adolfhitler.su.(f66a/PV!EH(hb+m=5L(f?NNPV!a/E@ @@ unknown unknown
kz.adolfhitler.su.z(f1 NNPV!a/E@BB@@3V5,kzadolfhitlersus(f4NN unknown unknown
siegheil.hiter.su.(f^66a/PV!EH(/5/(fNNPV!a/E@ unknown unknown
siegheil.hiter.su.6(fBBBPV!a/E4@@o}J?[yr3`Nq%s9(fNNPV!a/.E@@ unknown unknown
siegheil.hiter.su.(f66a/PV!EH(0T5>/(fNNPV!a/E@.@@95,/siegheilhitersun(fpC66a/PV!EH(1'59 unknown unknown
kz.adolfhitler.su.(f&66a/PV!EH(0V5x(f'NNPV!a/E@@@ unknown unknown
kz.adolfhitler.su.(fENNa/PV!E(@/G3l5*,jkzadolfhitlersus(fXFJJ unknown unknown
siegheil.hiter.su.(fb66a/PV!EH(C15?/(f9dJJPV!a/E<.@@F_< unknown unknown
kz.adolfhitler.su.U(fUBBPV!a/E4@@o}J?[yr3`NqsU(fNNPV!a/.E@Q3@ unknown unknown
siegheil.hiter.su.(fpC66a/PV!EH(1'59?/(fDNNPV!a/E@ unknown unknown
kz.adolfhitler.su.(f66a/PV!EH(r15(fJJPV!a/E<@@.F%n1(fQ66a/PV!E((.,"F%P(fXXPV!a/E unknown unknown
siegheil.hiter.su.>(fZNNPV!a/E@@@R[%5,5siegheilhitersusC(fNN unknown unknown
kz.adolfhitler.su.u(fNNPV!a/E@?@@65,QGkzadolfhitlersusz(f1 NN unknown unknown
sex.secure-cyber-security unknown unknown
sex.secure-cyber-security.(fq66a/PV!EH( 05Z@f(ftVVPV!a/EH@@ unknown unknown
siegheil.hiter.su.1(f66a/PV!EH(]c25@5?1(fNNPV!a/E@'@@ unknown unknown
siegheil.hiter.su.C(fNNPV!a/E@@@[%5,5siegheilhitersusH(fGNN unknown unknown