Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf

Overview

General Information

Sample name:SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf
Analysis ID:1504849
MD5:dd979274e98e98c09cec002bbb9463b0
SHA1:4be98164f9324eb25fc688964c19c5c004e60e6c
SHA256:6fd2b5684b508d9cb2c316daad9964381fdb3e3e73ebfe26f0c977385980452b
Tags:elf
Infos:

Detection

Mirai
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1504849
Start date and time:2024-09-05 14:22:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf
Detection:MAL
Classification:mal76.troj.evad.linELF@0/0@0/0
  • Report size exceeded maximum capacity and may have missing network information.
  • VT rate limit hit for: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf
Command:/tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf
PID:5484
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5498.1.00007fa158017000.00007fa15802e000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    5498.1.00007fa158017000.00007fa15802e000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      5498.1.00007fa158017000.00007fa15802e000.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
      • 0x15b48:$x1: POST /cdn-cgi/
      • 0x16000:$s1: LCOGQGPTGP
      5498.1.00007fa158017000.00007fa15802e000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
      • 0x15b48:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
      5488.1.00007fa158017000.00007fa15802e000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
        Click to see the 10 entries
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elfReversingLabs: Detection: 44%
        Source: global trafficTCP traffic: 192.168.2.14:49644 -> 154.216.17.218:9506
        Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.218
        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.218
        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.218
        Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.218
        Source: unknownTCP traffic detected without corresponding DNS query: 207.161.33.53
        Source: unknownTCP traffic detected without corresponding DNS query: 123.108.138.53
        Source: unknownTCP traffic detected without corresponding DNS query: 71.119.154.80
        Source: unknownTCP traffic detected without corresponding DNS query: 169.71.254.127
        Source: unknownTCP traffic detected without corresponding DNS query: 107.100.225.151
        Source: unknownTCP traffic detected without corresponding DNS query: 16.154.179.173
        Source: unknownTCP traffic detected without corresponding DNS query: 140.225.65.237
        Source: unknownTCP traffic detected without corresponding DNS query: 182.106.175.2
        Source: unknownTCP traffic detected without corresponding DNS query: 171.230.40.137
        Source: unknownTCP traffic detected without corresponding DNS query: 112.147.96.117
        Source: unknownTCP traffic detected without corresponding DNS query: 39.0.112.21
        Source: unknownTCP traffic detected without corresponding DNS query: 254.181.188.27
        Source: unknownTCP traffic detected without corresponding DNS query: 115.187.220.217
        Source: unknownTCP traffic detected without corresponding DNS query: 73.139.17.77
        Source: unknownTCP traffic detected without corresponding DNS query: 218.237.139.51
        Source: unknownTCP traffic detected without corresponding DNS query: 202.6.138.12
        Source: unknownTCP traffic detected without corresponding DNS query: 94.61.138.222
        Source: unknownTCP traffic detected without corresponding DNS query: 180.187.139.123
        Source: unknownTCP traffic detected without corresponding DNS query: 58.134.241.252
        Source: unknownTCP traffic detected without corresponding DNS query: 9.216.156.167
        Source: unknownTCP traffic detected without corresponding DNS query: 194.171.255.3
        Source: unknownTCP traffic detected without corresponding DNS query: 119.86.166.241
        Source: unknownTCP traffic detected without corresponding DNS query: 153.151.34.5
        Source: unknownTCP traffic detected without corresponding DNS query: 119.57.53.172
        Source: unknownTCP traffic detected without corresponding DNS query: 43.249.68.170
        Source: unknownTCP traffic detected without corresponding DNS query: 141.237.138.178
        Source: unknownTCP traffic detected without corresponding DNS query: 135.230.123.244
        Source: unknownTCP traffic detected without corresponding DNS query: 66.143.207.222
        Source: unknownTCP traffic detected without corresponding DNS query: 136.157.192.206
        Source: unknownTCP traffic detected without corresponding DNS query: 223.137.39.51
        Source: unknownTCP traffic detected without corresponding DNS query: 41.80.218.230
        Source: unknownTCP traffic detected without corresponding DNS query: 174.98.62.83
        Source: unknownTCP traffic detected without corresponding DNS query: 106.160.223.29
        Source: unknownTCP traffic detected without corresponding DNS query: 157.119.31.34
        Source: unknownTCP traffic detected without corresponding DNS query: 48.123.230.235
        Source: unknownTCP traffic detected without corresponding DNS query: 86.163.60.253
        Source: unknownTCP traffic detected without corresponding DNS query: 96.224.159.34
        Source: unknownTCP traffic detected without corresponding DNS query: 156.131.11.17
        Source: unknownTCP traffic detected without corresponding DNS query: 146.251.234.13
        Source: unknownTCP traffic detected without corresponding DNS query: 88.94.158.228
        Source: unknownTCP traffic detected without corresponding DNS query: 154.244.61.50
        Source: unknownTCP traffic detected without corresponding DNS query: 18.232.247.172
        Source: unknownTCP traffic detected without corresponding DNS query: 191.1.23.70
        Source: unknownTCP traffic detected without corresponding DNS query: 169.53.104.126
        Source: unknownTCP traffic detected without corresponding DNS query: 207.55.20.242
        Source: unknownTCP traffic detected without corresponding DNS query: 254.133.91.9
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elfString found in binary or memory: http://upx.sf.net
        Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443

        System Summary

        barindex
        Source: 5498.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 5498.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 5488.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 5488.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 5484.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 5484.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5486)SIGKILL sent: pid: 767, result: successfulJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5486)SIGKILL sent: pid: 5327, result: successfulJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)SIGKILL sent: pid: 767, result: successfulJump to behavior
        Source: 5498.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 5498.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 5488.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 5488.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 5484.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 5484.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: classification engineClassification label: mal76.troj.evad.linELF@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/2672/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1583/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3244/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3120/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3361/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3239/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1577/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1610/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/512/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1299/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3235/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/514/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3751/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3631/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3752/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3753/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/519/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/2946/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/917/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/5432/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3134/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1593/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3011/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3094/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/2955/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3406/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1589/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3129/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1588/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3402/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3125/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3246/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3245/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/767/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/800/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/888/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/801/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/769/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/803/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/806/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/807/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/928/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/2956/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3420/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/490/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3142/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1635/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1633/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1599/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3139/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1873/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1630/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3412/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/657/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/658/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/659/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/418/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/419/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1639/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1638/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3398/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1371/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3392/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/780/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/660/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/661/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/782/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1369/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3304/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3425/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/785/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1642/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/940/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/941/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1640/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3147/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3268/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1364/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/548/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/5327/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1647/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3680/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/2991/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1383/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1382/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1381/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/791/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/671/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/794/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1655/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/795/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/674/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1653/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/797/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/2983/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3159/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/678/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1650/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3157/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/679/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/1659/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3319/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/5470/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/5471/exeJump to behavior
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5496)File opened: /proc/3178/exeJump to behavior
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elfSubmission file: segment LOAD with 7.9684 entropy (max. 8.0)
        Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf (PID: 5484)Queries kernel information via 'uname': Jump to behavior
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5484.1.00007ffd11a86000.00007ffd11aa7000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5488.1.00007ffd11a86000.00007ffd11aa7000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5498.1.00007ffd11a86000.00007ffd11aa7000.rw-.sdmpBinary or memory string: ix86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5484.1.000055e7ab76d000.000055e7ab8fb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5488.1.000055e7ab76d000.000055e7ab8fb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5498.1.000055e7ab76d000.000055e7ab8fb000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5484.1.000055e7ab76d000.000055e7ab8fb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5488.1.000055e7ab76d000.000055e7ab8fb000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5498.1.000055e7ab76d000.000055e7ab8fb000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5484.1.00007ffd11a86000.00007ffd11aa7000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5488.1.00007ffd11a86000.00007ffd11aa7000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf, 5498.1.00007ffd11a86000.00007ffd11aa7000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 5498.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5488.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5484.1.00007fa158017000.00007fa15802e000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf PID: 5484, type: MEMORYSTR
        Source: Yara matchFile source: Process Mem