Source: kWVY0Rqmlx.elf |
ReversingLabs: Detection: 13% |
Source: kWVY0Rqmlx.elf |
Virustotal: Detection: 24% |
Perma Link |
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) |
Reads CPU info from proc file: /proc/cpuinfo |
Jump to behavior |
Source: global traffic |
TCP traffic: 192.168.2.13:39284 -> 80.182.142.45:5900 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.182.142.45 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox |
Source: Initial sample |
String containing 'busybox' found: /proc/proc/%s/exe/var/Challenge/app/hi3511/gmDVR/ibox/usr/dvr_main _8182T_1108/mnt/mtd/app/gui/var/Kylin/l0 c/udevd/anko-app/ankosample _8182T_1104/var/tmp/sonia/hicore/stm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-server/usr//shell/mnt//sys//bin//boot//media//srv//var/run//sbin//lib//etc//dev//home/Davinci/telnet/ssh/var/spool/var/Sofia/sshd/usr/compress/bin//compress/bin/compress/usr//bash/httpd/telnetd/dropbear/ropbear/encoder/system/root/dvr_gui//root/dvr_app//anko-app//opt//softbot.arm/softbot.arm6/softbot.dbg/softbot.mpsl/softbot.x86/softbot.arm5/softbot.arm7/softbot.mips/softbot.sh4softbot.armsoftbot.arm6softbot.dbgsoftbot.mpslsoftbot.x86softbot.arm5softbot.arm7softbot.mipssoftbot.sh4/bin/sh8.8.8.8murderwaswrote |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal56.troj.linELF@0/0@2/0 |
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) |
Reads from proc file: /proc/cpuinfo |
Jump to behavior |
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) |
Reads from proc file: /proc/meminfo |
Jump to behavior |
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) |
Reads CPU info from proc file: /proc/cpuinfo |
Jump to behavior |
Source: /tmp/kWVY0Rqmlx.elf (PID: 5406) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: kWVY0Rqmlx.elf, 5406.1.000055c48b310000.000055c48b397000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.000055c48b310000.000055c48b397000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/mips |
Source: kWVY0Rqmlx.elf, 5406.1.000055c48b310000.000055c48b397000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.000055c48b310000.000055c48b397000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mips |
Source: kWVY0Rqmlx.elf, 5406.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/kWVY0Rqmlx.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kWVY0Rqmlx.elf |
Source: kWVY0Rqmlx.elf, 5406.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mips |
Source: Yara match |
File source: kWVY0Rqmlx.elf, type: SAMPLE |
Source: Yara match |
File source: 5410.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5406.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5406, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5410, type: MEMORYSTR |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 |
Source: Yara match |
File source: kWVY0Rqmlx.elf, type: SAMPLE |
Source: Yara match |
File source: 5410.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5406.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5406, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5410, type: MEMORYSTR |