Linux Analysis Report
0t102oBJAv.elf

AV Detection

Source: 0t102oBJAv.elf

Avira: detected

Source: 0t102oBJAv.elf	ReversingLabs: Detection: 42%
Source: 0t102oBJAv.elf	Virustotal: Detection: 41%			Perma Link

Spreading

Source: 0t102oBJAv.elf

String: /root//tmp//dev//bin//etc//boot//usr//mnt//var//proc/self/exe/cmdlinewgettftpchmodcurl/exe/sbin//snap/

Networking

Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:43046 -> 119.163.181.85:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:51450 -> 171.34.150.101:23
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:47794 -> 171.127.69.74:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:47886 -> 171.127.69.74:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:47886 -> 171.127.69.74:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:47672 -> 176.223.89.186:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:33370 -> 124.67.161.200:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:52796 -> 171.34.150.101:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:44492 -> 200.174.44.250:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:41098 -> 110.6.25.38:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:41098 -> 110.6.25.38:23
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:47748 -> 191.81.188.218:23
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:57602 -> 190.177.237.181:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:40148 -> 5.11.152.162:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:53560 -> 171.34.150.101:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48720 -> 181.20.177.25:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:33198 -> 148.255.120.99:23
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:47148 -> 186.128.24.175:23
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:40848 -> 38.111.111.145:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:37342 -> 90.145.238.38:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:39870 -> 122.96.239.254:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:59538 -> 190.49.85.10:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:59538 -> 190.49.85.10:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:60618 -> 62.231.4.129:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:34234 -> 190.174.156.65:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:59174 -> 186.128.171.198:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:35294 -> 124.67.161.200:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:35294 -> 124.67.161.200:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:58698 -> 119.120.196.233:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:58698 -> 119.120.196.233:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57148 -> 122.116.38.50:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:59576 -> 219.141.82.240:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:37756 -> 90.145.238.38:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48508 -> 139.170.40.242:23
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:59242 -> 59.127.199.18:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:40384 -> 122.241.14.214:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:38014 -> 61.169.43.142:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:49912 -> 191.81.188.218:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:41740 -> 38.111.111.145:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:41740 -> 38.111.111.145:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:48542 -> 186.132.147.34:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48542 -> 186.132.147.34:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:41310 -> 2.55.86.17:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:41310 -> 2.55.86.17:23
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41412 -> 37.232.98.246:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:53524 -> 59.139.29.29:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48548 -> 189.204.168.203:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.23:48812 -> 186.132.147.34:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48812 -> 186.132.147.34:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:54380 -> 190.48.4.242:23
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:41676 -> 2.55.86.17:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48792 -> 189.204.168.203:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:54926 -> 190.48.4.242:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56008 -> 88.255.93.171:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:38260 -> 203.130.0.149:23

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47990
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48006
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48054
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48144
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56024
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56060
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56166
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55942
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55996
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56032
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56042
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56054
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50564
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50586
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50624
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50650
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47862
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47938
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48000
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41516
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41586
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41596
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55648
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55712
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55790
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55804
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55838
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55868
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55890
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45242
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45310
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59460
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59524
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59524
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55006
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55056
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55114
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55076
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55212
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59786
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55246
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55260
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55300
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55318
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55358
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55376
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55388
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55416

Source: global traffic

TCP traffic: 192.168.2.23:42734 -> 45.128.232.208:33335

Source: /tmp/0t102oBJAv.elf (PID: 6221)

Socket: 127.0.0.1::33337

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 45.128.232.208
Source: unknown	TCP traffic detected without corresponding DNS query: 138.60.111.106
Source: unknown	TCP traffic detected without corresponding DNS query: 132.146.51.62
Source: unknown	TCP traffic detected without corresponding DNS query: 124.251.53.91
Source: unknown	TCP traffic detected without corresponding DNS query: 106.197.47.189
Source: unknown	TCP traffic detected without corresponding DNS query: 26.22.25.20
Source: unknown	TCP traffic detected without corresponding DNS query: 172.6.194.55
Source: unknown	TCP traffic detected without corresponding DNS query: 114.36.111.25
Source: unknown	TCP traffic detected without corresponding DNS query: 161.18.204.69
Source: unknown	TCP traffic detected without corresponding DNS query: 191.20.15.230
Source: unknown	TCP traffic detected without corresponding DNS query: 90.251.212.9
Source: unknown	TCP traffic detected without corresponding DNS query: 213.95.162.96
Source: unknown	TCP traffic detected without corresponding DNS query: 140.124.192.161
Source: unknown	TCP traffic detected without corresponding DNS query: 49.150.42.14
Source: unknown	TCP traffic detected without corresponding DNS query: 157.190.141.92
Source: unknown	TCP traffic detected without corresponding DNS query: 47.71.46.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.55.98.206
Source: unknown	TCP traffic detected without corresponding DNS query: 106.179.190.158
Source: unknown	TCP traffic detected without corresponding DNS query: 130.16.150.13
Source: unknown	TCP traffic detected without corresponding DNS query: 40.8.196.238
Source: unknown	TCP traffic detected without corresponding DNS query: 157.233.213.54
Source: unknown	TCP traffic detected without corresponding DNS query: 206.202.66.238
Source: unknown	TCP traffic detected without corresponding DNS query: 106.57.207.126
Source: unknown	TCP traffic detected without corresponding DNS query: 46.113.240.168
Source: unknown	TCP traffic detected without corresponding DNS query: 144.176.225.227
Source: unknown	TCP traffic detected without corresponding DNS query: 76.254.233.53
Source: unknown	TCP traffic detected without corresponding DNS query: 208.172.49.41
Source: unknown	TCP traffic detected without corresponding DNS query: 247.102.120.157
Source: unknown	TCP traffic detected without corresponding DNS query: 135.124.61.20
Source: unknown	TCP traffic detected without corresponding DNS query: 246.149.38.136
Source: unknown	TCP traffic detected without corresponding DNS query: 189.232.255.208
Source: unknown	TCP traffic detected without corresponding DNS query: 162.118.90.190
Source: unknown	TCP traffic detected without corresponding DNS query: 186.19.25.10
Source: unknown	TCP traffic detected without corresponding DNS query: 111.148.81.37
Source: unknown	TCP traffic detected without corresponding DNS query: 219.92.65.207
Source: unknown	TCP traffic detected without corresponding DNS query: 18.112.215.222
Source: unknown	TCP traffic detected without corresponding DNS query: 164.1.140.223
Source: unknown	TCP traffic detected without corresponding DNS query: 176.2.238.162
Source: unknown	TCP traffic detected without corresponding DNS query: 169.253.64.162
Source: unknown	TCP traffic detected without corresponding DNS query: 252.105.30.32
Source: unknown	TCP traffic detected without corresponding DNS query: 158.22.175.194
Source: unknown	TCP traffic detected without corresponding DNS query: 105.32.89.35
Source: unknown	TCP traffic detected without corresponding DNS query: 222.224.185.136
Source: unknown	TCP traffic detected without corresponding DNS query: 67.64.1.195
Source: unknown	TCP traffic detected without corresponding DNS query: 86.40.143.83
Source: unknown	TCP traffic detected without corresponding DNS query: 217.184.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 108.188.29.108
Source: unknown	TCP traffic detected without corresponding DNS query: 128.42.54.179
Source: unknown	TCP traffic detected without corresponding DNS query: 21.193.51.197
Source: unknown	TCP traffic detected without corresponding DNS query: 76.206.16.178

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: 0t102oBJAv.elf, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6221.1.00007f0e28400000.00007f0e2840d000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: ELF static info symbol of initial sample

.symtab present: no

Source: 0t102oBJAv.elf, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6221.1.00007f0e28400000.00007f0e2840d000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.linELF@0/0@0/0

Persistence and Installation Behavior

Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6230/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6353/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6231/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1582/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1579/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1698/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/235/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1334/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1576/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/2302/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/115/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/236/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/116/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/237/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/117/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/118/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/910/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6226/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/119/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/912/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6228/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/10/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/2307/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/11/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/918/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/12/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/13/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6243/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6242/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/14/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6245/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/15/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6244/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/16/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6247/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/17/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6246/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/18/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1594/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/120/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/121/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1349/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/122/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/243/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/123/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/2/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/3/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/124/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/4/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/125/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/126/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1344/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1465/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1586/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/127/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/248/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/128/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/249/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1463/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/800/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/9/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/801/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/20/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/21/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1900/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6252/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/22/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6251/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/23/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6254/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/24/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6253/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/25/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/26/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/27/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/28/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/29/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/491/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/250/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/6250/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/130/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/251/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/252/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/132/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/253/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/254/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/255/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/256/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/1599/cmdline			Jump to behavior
Source: /tmp/0t102oBJAv.elf (PID: 6223)	File opened: /proc/257/cmdline			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47990
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48006
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48054
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48144
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56024
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56060
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56166
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55942
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55962
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55974
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55996
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56032
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56042
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56054
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50564
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50586
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50624
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50650
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47862
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47938
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47964
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48000
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41516
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41586
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41596
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55648
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55712
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55724
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55706
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55750
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55790
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55804
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55838
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55868
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55890
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45242
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45310
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59460
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59524
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54986
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59524
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55006
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55056
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55114
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55076
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55212
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59786
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55246
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55260
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55300
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55318
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55358
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55376
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55388
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55416

Malware Analysis System Evasion

Source: /tmp/0t102oBJAv.elf (PID: 6221)

Queries kernel information via 'uname':

Jump to behavior

Source: 0t102oBJAv.elf, 6221.1.00007ffe6ffac000.00007ffe6ffcd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: 0t102oBJAv.elf, 6221.1.00007ffe6ffac000.00007ffe6ffcd000.rw-.sdmp	Binary or memory string: IbW=Ix86_64/usr/bin/qemu-sh4/tmp/0t102oBJAv.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/0t102oBJAv.elf
Source: 0t102oBJAv.elf, 6221.1.00005561f95e8000.00005561f966c000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: 0t102oBJAv.elf, 6221.1.00005561f95e8000.00005561f966c000.rw-.sdmp	Binary or memory string: aU5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0t102oBJAv.elf, type: SAMPLE
Source: Yara match	File source: 6221.1.00007f0e28400000.00007f0e2840d000.r-x.sdmp, type: MEMORY

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7

Remote Access Functionality

Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (ubnt)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (ubnt)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (vizxv)

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0t102oBJAv.elf, type: SAMPLE
Source: Yara match	File source: 6221.1.00007f0e28400000.00007f0e2840d000.r-x.sdmp, type: MEMORY