Edit tour

Linux Analysis Report
morte.ppc.elf

Overview

General Information

Sample name:	morte.ppc.elf
Analysis ID:	1729402
Has dependencies:	false
MD5:	f9c49a7916e6b93716cf9bb7fffc59d1
SHA1:	4f8b456e2f4a6c95c0f954c72b50ad31779b6631
SHA256:	f837790f6bd7ac57839ddd424748f3b333161e9b92a1781bd95d8e481b4005b0
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Xmrig

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Xmrig cryptocurrency miner

Deletes system log files

Drops files in suspicious directories

Drops invisible ELF files

Found strings related to Crypto-Mining

Manipulation of devices in /dev

Sample deletes itself

Sample is packed with UPX

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1729402
Start date and time:	2025-07-06 07:56:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	morte.ppc.elf
Detection:	MAL
Classification:	mal100.spre.troj.evad.mine.linELF@0/7@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown

Runtime Messages

Command:	/tmp/morte.ppc.elf
PID:	5632
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

morte.ppc.elf (PID: 5632, Parent: 5550, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/morte.ppc.elf

morte.ppc.elf New Fork (PID: 5634, Parent: 5632)

morte.ppc.elf New Fork (PID: 5636, Parent: 5634)

morte.ppc.elf New Fork (PID: 5642, Parent: 5636)

sh (PID: 5642, Parent: 5636, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp /tmp/morte.ppc.elf /usr/bin/.sh"

sh New Fork (PID: 5644, Parent: 5642)

cp (PID: 5644, Parent: 5642, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /tmp/morte.ppc.elf /usr/bin/.sh

morte.ppc.elf New Fork (PID: 5645, Parent: 5636)

morte.ppc.elf New Fork (PID: 5647, Parent: 5645)

morte.ppc.elf New Fork (PID: 5649, Parent: 5645)

gvfsd-fuse New Fork (PID: 5655, Parent: 3147)

fusermount (PID: 5655, Parent: 3147, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

Xorg New Fork (PID: 5669, Parent: 1371)

sh (PID: 5669, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5670, Parent: 5669)

xkbcomp (PID: 5670, Parent: 5669, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

Xorg New Fork (PID: 5671, Parent: 1371)

sh (PID: 5671, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5672, Parent: 5671)

xkbcomp (PID: 5672, Parent: 5671, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/container-security-tnt-container-attack/ https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
5649.1.00007f1498013000.00007f1498015000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5632.1.00007f1498013000.00007f1498015000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5645.1.00007f1498013000.00007f1498015000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5636.1.00007f1498013000.00007f1498015000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5634.1.00007f1498013000.00007f1498015000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.ppc.elf PID: 5632	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.ppc.elf PID: 5632	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.ppc.elf PID: 5634	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.ppc.elf PID: 5634	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.ppc.elf PID: 5636	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.ppc.elf PID: 5636	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.ppc.elf PID: 5645	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.ppc.elf PID: 5645	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.ppc.elf PID: 5649	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.ppc.elf PID: 5649	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Click to see the 10 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: morte.ppc.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/bin/.sh

Avira: detection malicious, Label: EXP/ELF.Agent.F.118

Multi AV Scanner detection for submitted file

Source: morte.ppc.elf

ReversingLabs: Detection: 41%

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 5649.1.00007f1498013000.00007f1498015000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5632.1.00007f1498013000.00007f1498015000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5645.1.00007f1498013000.00007f1498015000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5636.1.00007f1498013000.00007f1498015000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5634.1.00007f1498013000.00007f1498015000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5634, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5645, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5649, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: morte.ppc.elf, 5632.1.00007f1498013000.00007f1498015000.r-x.sdmp

String found in binary or memory: cryptonight

Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:1338	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:1111	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:1213	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:1234	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:333	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:666	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:777	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:9999	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:5656	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:8585	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:6363	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:6969	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:3779	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:3778	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:38273	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:10345	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:23455	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:1991	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:21769	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:42352	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:48101	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:39182	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:47767	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:6667	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:1337	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:4321	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:232	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	Socket: 0.0.0.0:24136	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:37516 -> 65.222.202.53:80

Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53

Source: morte.ppc.elf, .sh.18.dr

String found in binary or memory: http://upx.sf.net

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 1399, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 1399, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 2991, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5707, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5707, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5708, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5708, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5709, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5709, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5710, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5710, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5711, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5711, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5712, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5712, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5713, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5713, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5714, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5714, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5715, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5715, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5716, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5716, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5717, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5717, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5718, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5718, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5719, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5719, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5720, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5720, result: no such process	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x100000

Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 1399, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 1399, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 2991, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5707, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5707, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5708, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5708, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5709, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5709, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5710, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5710, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5711, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5711, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5712, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5712, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5713, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5713, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5714, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5714, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5715, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5715, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5716, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5716, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5717, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5717, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5718, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5718, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5719, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5719, result: no such process	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5720, result: successful	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	SIGKILL sent: pid: 5720, result: no such process	Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.evad.mine.linELF@0/7@0/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/morte.ppc.elf (PID: 5649)	Deleted: /dev/null			Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5649)	Deleted: /dev/kmsg			Jump to behavior

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5655)

File: /proc/5655/mounts

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/morte.ppc.elf (PID: 5636)

File: /etc/rc2.d/S99sysd -> /etc/init.d/sysd

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/morte.ppc.elf (PID: 5636)

File: /etc/init.d/sysd (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /usr/bin/cp (PID: 5644)

File: /usr/bin/.sh

Jump to behavior

Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3760/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3760/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3760/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3761/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3761/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3761/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1583/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1583/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1583/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/2672/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/2672/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/2672/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/110/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/110/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3759/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3759/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/3759/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/111/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/111/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/112/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/112/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/113/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/113/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/234/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/234/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1577/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1577/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/1577/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/114/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/114/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/114/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/235/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/235/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/235/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/115/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/115/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/115/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/116/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/116/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/116/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/117/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/117/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/117/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/118/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/118/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/118/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/119/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/119/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/119/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/10/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/10/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/10/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/917/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/917/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/11/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/11/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/11/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/12/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/12/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/12/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/13/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/13/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/13/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/14/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/14/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/14/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/15/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/15/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/15/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/16/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/16/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/16/fd	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/17/comm	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/17/maps	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5645)	File opened: /proc/17/fd	Jump to behavior

Source: /tmp/morte.ppc.elf (PID: 5642)	Shell command executed: sh -c "cp /tmp/morte.ppc.elf /usr/bin/.sh"	Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5669)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5671)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior

Source: /tmp/morte.ppc.elf (PID: 5636)

File: /etc/init.d/sysd (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /usr/bin/cp (PID: 5644)

File written: /usr/bin/.sh

Jump to dropped file

Source: /tmp/morte.ppc.elf (PID: 5636)

Writes shell script file to disk with an unusual file extension: /etc/init.d/sysd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/morte.ppc.elf (PID: 5649)	Log files deleted: /var/log/Xorg.1.log	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5649)	Log files deleted: /var/log/auth.log	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5649)	Log files deleted: /var/log/kern.log	Jump to behavior
Source: /tmp/morte.ppc.elf (PID: 5649)	Log files deleted: /var/log/Xorg.0.log	Jump to behavior

Drops files in suspicious directories

Source: /tmp/morte.ppc.elf (PID: 5636)	File: /etc/init.d/sysd			Jump to dropped file
Source: /usr/bin/cp (PID: 5644)	File: /usr/bin/.sh			Jump to dropped file

Drops invisible ELF files

Source: /usr/bin/cp (PID: 5644)

ELF file: /usr/bin/.sh

Jump to dropped file

Sample deletes itself

Source: /tmp/morte.ppc.elf (PID: 5645)

File: /tmp/morte.ppc.elf

Jump to behavior

Source: morte.ppc.elf	Submission file: segment LOAD with 7.9691 entropy (max. 8.0)
Source: .sh.18.dr	Dropped file: segment LOAD with 7.9691 entropy (max. 8.0)

Source: /tmp/morte.ppc.elf (PID: 5632)

Queries kernel information via 'uname':

Jump to behavior

Source: morte.ppc.elf, 5636.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5645.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5649.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.r8n8dl
Source: morte.ppc.elf, 5649.1.00007f1498035000.00007f1498241000.rw-.sdmp	Binary or memory string: :$</var/lib/vmware/VGAuth/aliasStoreu
Source: morte.ppc.elf, 5649.1.000056539df33000.000056539df54000.rw-.sdmp	Binary or memory string: !/var/lib/fwupd/pki!/proc/3353/cmdlineQ/var/lib/snapd/assertions/asserts-v0/modelP!/proc/3361/cmdlineQ/var/lib/snapd/assertions/asserts-v0/snap-declarationP!/proc/3392/cmdlineQ/var/lib/snapd/assertions/asserts-v0/snap-revisionP!/proc/3398/cmdline1/var/lib/vmware/VGAuth/aliasStore*
Source: morte.ppc.elf, 5649.1.00007f1498035000.00007f1498241000.rw-.sdmp	Binary or memory string: /var/lib/vmware4/var/lib/PackageKit
Source: morte.ppc.elf, 5632.1.000056539de83000.000056539df33000.rw-.sdmp, morte.ppc.elf, 5634.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: morte.ppc.elf, 5632.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5634.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5636.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5645.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5649.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp	Binary or memory string: +x86_64/usr/bin/qemu-ppc/tmp/morte.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/morte.ppc.elf
Source: morte.ppc.elf, 5649.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_726-2957583432
Source: morte.ppc.elf, 5649.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: SV!/proc/3/exe1/tmp/vmware-root_726-2957583432!/proc/4/exe1/proc/286/exe/ppc/roc/4/exe0!/proc/5/exe1/proc/110/exe/ppc/proc/5/exe0!/proc/6/exe!/proc/252/exe/ppc/proa/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-fwupd.service-f23Ekj
Source: morte.ppc.elf, 5636.1.000056539de83000.000056539df33000.rw-.sdmp, morte.ppc.elf, 5645.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: morte.ppc.elf, 5649.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1/var/lib/systemd/coredump1/proc/1564/exe/ppc/7
Source: morte.ppc.elf, 5649.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: SV1/var/lib/cloud/scripts/vendor0!/var/lib/vmware0!/proc/1659/cmdline
Source: morte.ppc.elf, 5649.1.00007f1498035000.00007f1498241000.rw-.sdmp	Binary or memory string: (/var/lib/vmware/VGAuth/aliasStore
Source: morte.ppc.elf, 5632.1.000056539de83000.000056539df33000.rw-.sdmp, morte.ppc.elf, 5634.1.000056539de83000.000056539df33000.rw-.sdmp, morte.ppc.elf, 5636.1.000056539de83000.000056539df33000.rw-.sdmp, morte.ppc.elf, 5645.1.000056539de83000.000056539df33000.rw-.sdmp, morte.ppc.elf, 5649.1.000056539de83000.000056539df33000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: morte.ppc.elf, 5632.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5634.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5636.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5645.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5649.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: morte.ppc.elf, 5649.1.000056539df33000.000056539df54000.rw-.sdmp	Binary or memory string: /var/lib/snapd/assertions/asserts-v0/account-key/wrfougkz3Huq2T_KklfnufCC0HzG7bJ9wP99GV0FF-D3QH3eJtuSRlQc2JhrAoh132EF2dQ/var/lib/systemd/deb-systemd-user-helper-enabled/default.target.wants!/var/lib/vmware/VGAuth9
Source: morte.ppc.elf, 5649.1.00007f1498035000.00007f1498241000.rw-.sdmp	Binary or memory string: /var/lib/vmware
Source: morte.ppc.elf, 5649.1.00007f1498032000.00007f1498035000.rw-.sdmp	Binary or memory string: $/tmp/vmware-root_726-2957583432
Source: morte.ppc.elf, 5649.1.00007f1498035000.00007f1498241000.rw-.sdmp	Binary or memory string: </var/lib/vmware/VGAuth/aliasStore
Source: morte.ppc.elf, 5649.1.00007f1498035000.00007f1498241000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth
Source: morte.ppc.elf, 5636.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5645.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp, morte.ppc.elf, 5649.1.00007fff0b94b000.00007fff0b96c000.rw-.sdmp	Binary or memory string: SV/tmp/qemu-open.r8n8dl
Source: morte.ppc.elf, 5649.1.000056539df33000.000056539df54000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: morte.ppc.elf, 5649.1.000056539df33000.000056539df54000.rw-.sdmp	Binary or memory string: /ppc/var/lib/vmware/VGAuth/aliasStore

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5634, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5645, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5649, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5634, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5645, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.ppc.elf PID: 5649, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	1 Service Stop
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
morte.ppc.elf	42%	ReversingLabs	Linux.Worm.Mirai
morte.ppc.elf	100%	Avira	EXP/ELF.Agent.F.118

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/bin/.sh	100%	Avira	EXP/ELF.Agent.F.118
/etc/init.d/sysd	0%	Virustotal		Browse
/usr/bin/.sh	42%	ReversingLabs	Linux.Worm.Mirai

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	morte.ppc.elf, .sh.18.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.222.202.53	unknown	United States		394096	CAPEREGIONALHEALTHSYSTEMUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
65.222.202.53	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.spc.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CAPEREGIONALHEALTHSYSTEMUS	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.spc.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/sysd	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.x86_64.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse

Created / dropped Files

/etc/init.d/sysd

Download File

Process:	/tmp/morte.ppc.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.5892750707107135
Encrypted:	false
SSDEEP:	3:TKH4v09vzn:hw
MD5:	997CB34FF6E6CDED70B841C0D16C0938
SHA1:	CC85C16E2FB441D86AA668F376CA7FB4B181F1AB
SHA-256:	BA1D50D125344F273C249426CCD744D5A12E560ACE41CCA4BC55BD2D4A718D8F
SHA-512:	1E775CA8513F2841B6A8E369071B28C48489AB6462D06525F9B6B2BF97E9C043562BD7E0217307ED64A95217A76A94A08189616831C9D3127C6B91B7544570C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: morte.sh4.elf, Detection: malicious, Browse Filename: debug.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.x86_64.elf, Detection: malicious, Browse Filename: morte.arm.elf, Detection: malicious, Browse Filename: morte.arm.elf, Detection: malicious, Browse Filename: morte.sh4.elf, Detection: malicious, Browse Filename: morte.mips.elf, Detection: malicious, Browse Filename: morte.mips.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh./usr/bin/.sh &.

/tmp/qemu-open.r8n8dl (deleted)

Download File

Process:	/tmp/morte.ppc.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.47135448701393
Encrypted:	false
SSDEEP:	3:TgnRAlJ5:TgnRAl3
MD5:	B4B0FDB668732DD29134D956721FA359
SHA1:	7F0493F6F63DED1CC4937F792391787A8E646C3A
SHA-256:	ACCBC4FDFBCEC88EC115ADD331EFAF2B2DDD17633F80CC9E17FCD7E5ABEF54AE
SHA-512:	301E19A06EF9969F3DF38F7D2948EF723A6996915F1B12C2395C51A1A0B40800B83E7E9006656FE1A7B5CD1D7024589C5AD42C89B661629A3698A2CA7C3EC54C
Malicious:	false
Reputation:	low
Preview:	/tmp/morte.ppc.elf.

/tmp/server-0.xkm

Download File

Process:	/usr/bin/xkbcomp
File Type:	Compiled XKB Keymap: lsb, version 15
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	5.111453573529468
Encrypted:	false
SSDEEP:	96:5/DyE212zg/Jm3XEIr8llE4CwRvFhJvEXJRgsmEFaTa:tDyb2zOmnECQmww
MD5:	E25C5715C17078F7367E65D54CD5AE7F
SHA1:	D9E95B061E7C20FE56E2B2BC4A4FA904596E1BC1
SHA-256:	390E9784127FC99C105C6E04B41378F582238780716B04895D3216959701A7AF
SHA-512:	0FB4F11247D99B296E72DDB46D063B0DAABF8CEC75FF04364617362B3468CCC022B146E396EBAF494CC6A0E7F1FB011FCA9DBE52F83B29D1F6703C098298A54D
Malicious:	false
Reputation:	low
Preview:	.mkx..............D.......................h.......<.....P.@%.......&......D.......NumLock.....Alt.....LevelThree..LAlt....RAlt....RControl....LControl....ScrollLock..LevelFive...AltGr...Meta....Super...Hyper...........evdev+aliases(qwerty)...!.....ESC.AE01AE02AE03AE04AE05AE06AE07AE08AE09AE10AE11AE12BKSPTAB.AD01AD02AD03AD04AD05AD06AD07AD08AD09AD10AD11AD12RTRNLCTLAC01AC02AC03AC04AC05AC06AC07AC08AC09AC10AC11TLDELFSHBKSLAB01AB02AB03AB04AB05AB06AB07AB08AB09AB10RTSHKPMULALTSPCECAPSFK01FK02FK03FK04FK05FK06FK07FK08FK09FK10NMLKSCLKKP7.KP8.KP9.KPSUKP4.KP5.KP6.KPADKP1.KP2.KP3.KP0.KPDLLVL3....LSGTFK11FK12AB11KATAHIRAHENKHKTGMUHEJPCMKPENRCTLKPDVPRSCRALTLNFDHOMEUP..PGUPLEFTRGHTEND.DOWNPGDNINS.DELEI120MUTEVOL-VOL+POWRKPEQI126PAUSI128I129HNGLHJCVAE13LWINRWINCOMPSTOPAGAIPROPUNDOFRNTCOPYOPENPASTFINDCUT.HELPI147I148I149I150I151I152I153I154I155I156I157I158I159I160I161I162I163I164I165I166I167I168I169I170I171I172I173I174I175I176I177I178I179I180I181I182I183I184I185I186I187I188I189I190FK13FK14FK15FK16FK17FK18

/tmp/server-0.xkm (deleted)

Download File

Process:	/usr/bin/xkbcomp
File Type:	data
Category:	dropped
Size (bytes):	7964
Entropy (8bit):	4.445134545753843
Encrypted:	false
SSDEEP:	192:eVFfLaSLus4UVcqLkjoqdD//HJeCQ1+JdDx0s2T:8Ff+S6tUzmp7/1MJ
MD5:	F56EFBEDAF34ED68117AC764FE0F9883
SHA1:	922926245BECBB231692B58C71E63C91FD798E72
SHA-256:	F7B27416182331623CD2773CABCB8B25E91D31D4243F16AE09F9C9E63869DE55
SHA-512:	F364C5F688BEA7D07291813186311DCF65BC5C3F7600D286BF553E6955EE418A1D8884B5B71E550DFB282FA9B3BF71E3B0A009E1DD41C983612AB4D4676E1062
Malicious:	false
Reputation:	low
Preview:	..Shift Alt...Ctrl+Alt..................................".SEPARATE_CAPS_AND_SHIFT_ALPHABETIC..........................Base....Shift...AltGr Base..Shift AltGr.........................................FOUR_LEVEL_PLUS_LOCK....Base....Shift...Alt Base....Shift Alt...Lock....................................FOUR_LEVEL_KEYPAD...Base....Number..Alt Base....Alt Number......h...complete..{...................................................................................................................................................................................................................................................................................................~.......................................................................................................................................................................................................................................................................................................................................

/usr/bin/.sh

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Category:	dropped
Size (bytes):	41216
Entropy (8bit):	7.9668914030292255
Encrypted:	false
SSDEEP:	768:9cWyiippNPrE0T7VGz8FlGrp4ue/BtQZf0PDADUFcs6xIeRKiE4uVcqgw09r:S/pvrE27E0lGrpLCBeZfmtcsynjE4u+1
MD5:	F9C49A7916E6B93716CF9BB7FFFC59D1
SHA1:	4F8B456E2F4A6C95C0F954C72B50AD31779B6631
SHA-256:	F837790F6BD7AC57839DDD424748F3B333161E9B92A1781BD95D8E481B4005B0
SHA-512:	3E1C384A2DB5C34E50C09D5842D2BF246E38A2724A053146DFC3E456B698BABA11B706AF8F9B3F9C680203ACB5B8EB19F3BE3514599E8BCE4260F61FB6E3D8F0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	.ELF...........................4.........4. ...(....................................................................dt.Q................................UPX!..........m...m........U.......?.E.h4...@b............uJ..;Zu,.Zs.h..........>...tfM..$d.[..b........}.......e....f.......J.[...(..v........$...m..p......h..z.Y.Z.N.&..d.).]..W..iU...{0..'[.W......jT..~.c...Y?..6.(.w.\6".Xs...&.9.}.".^Nc....K..l.]F1.^}....d.G...*.C.3...~.......#@..i..O`x.h\;50.`.2..$!t>.^.d.t..\|T..<....N.d._......\I.!..d..=6..5.`'.........G....u^F..)o.....f['.G$..2b..k..%..!9.&@-Se.6..X.c..B..[.W...+.1k.~....()1-...#...F..UL1=.p.F.G....#.]...j]..I.....C....Vy...pw$).J. 1......},.g.e...1..rt..AbhN.0..p..\...1.Y..u#.."t+...X:._..D....9O.kq.~.k.....q...<.....cs..(.B...q..L...e.HLt..=.8D.....\...R[...d..mQ.C.......c.....RdYTe...J..5l.A...... .UI....+..I..B....h..$.w.O.cI.h].fs..r..wb..&..mN.f_g\.4..Hr......2.h....4...g....\}>7.'y.(".a.......Z. ....?...g)B....GE#.b...v..

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.9668914030292255
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	morte.ppc.elf
File size:	41'216 bytes
MD5:	f9c49a7916e6b93716cf9bb7fffc59d1
SHA1:	4f8b456e2f4a6c95c0f954c72b50ad31779b6631
SHA256:	f837790f6bd7ac57839ddd424748f3b333161e9b92a1781bd95d8e481b4005b0
SHA512:	3e1c384a2db5c34e50c09d5842d2bf246e38a2724a053146dfc3e456b698baba11b706af8f9b3f9c680203acb5b8eb19f3be3514599e8bce4260f61fb6e3d8f0
SSDEEP:	768:9cWyiippNPrE0T7VGz8FlGrp4ue/BtQZf0PDADUFcs6xIeRKiE4uVcqgw09r:S/pvrE27E0lGrpLCBeZfmtcsynjE4u+1
TLSH:	D803F069C9CA3C56EEFA79689EB54281BB748F1877165CD9224CDF4303323B123687C8
File Content Preview:	.ELF...........................4.........4. ...(....................................................................dt.Q................................UPX!..........m...m........U.......?.E.h4...@b..............uJ..;Zu,.Zs.h...........>...tfM..$d.[..b...

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x108e18
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0xa000	0xa000	7.9691	0x5	R E	0x10000
LOAD	0xdf0	0x10030df0	0x10030df0	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2025 07:57:41.408463955 CEST	37516	80	192.168.2.14	65.222.202.53
Jul 6, 2025 07:57:42.411488056 CEST	37516	80	192.168.2.14	65.222.202.53
Jul 6, 2025 07:57:44.427345037 CEST	37516	80	192.168.2.14	65.222.202.53
Jul 6, 2025 07:57:48.587248087 CEST	37516	80	192.168.2.14	65.222.202.53
Jul 6, 2025 07:57:53.341835022 CEST	37518	80	192.168.2.14	65.222.202.53
Jul 6, 2025 07:57:54.346921921 CEST	37518	80	192.168.2.14	65.222.202.53

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2025 07:57:40.973711014 CEST	42293	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:41.059534073 CEST	53	42293	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:41.061482906 CEST	54669	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:41.147077084 CEST	53	54669	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:41.148312092 CEST	35192	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:41.233814955 CEST	53	35192	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:41.234934092 CEST	38997	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:41.320650101 CEST	53	38997	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:41.321671009 CEST	39804	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:41.407691002 CEST	53	39804	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:52.910197973 CEST	40171	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:52.996035099 CEST	53	40171	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:52.996718884 CEST	41326	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:53.082129955 CEST	53	41326	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:53.082875967 CEST	44820	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:53.168356895 CEST	53	44820	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:53.169048071 CEST	39044	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:53.254743099 CEST	53	39044	8.8.8.8	192.168.2.14
Jul 6, 2025 07:57:53.255423069 CEST	60961	53	192.168.2.14	8.8.8.8
Jul 6, 2025 07:57:53.341399908 CEST	53	60961	8.8.8.8	192.168.2.14

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 6, 2025 07:57:41.109348059 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable
Jul 6, 2025 07:59:01.120095968 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable

System Behavior

Analysis Process: morte.ppc.elf PID: 5632, Parent PID: 5550

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	/tmp/morte.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5634, Parent PID: 5632

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5636, Parent PID: 5634

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5642, Parent PID: 5636

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: sh PID: 5642, Parent PID: 5636

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	sh -c "cp /tmp/morte.ppc.elf /usr/bin/.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5644, Parent PID: 5642

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5644, Parent PID: 5642

General

Start time (UTC):	05:57:31
Start date (UTC):	06/07/2025
Path:	/usr/bin/cp
Arguments:	cp /tmp/morte.ppc.elf /usr/bin/.sh
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5645, Parent PID: 5636

General

Start time (UTC):	05:57:32
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5647, Parent PID: 5645

General

Start time (UTC):	05:57:32
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5649, Parent PID: 5645

General

Start time (UTC):	05:57:32
Start date (UTC):	06/07/2025
Path:	/tmp/morte.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: gvfsd-fuse PID: 5655, Parent PID: 3147

General

Start time (UTC):	05:57:36
Start date (UTC):	06/07/2025
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Chronological Activities

Analysis Process: fusermount PID: 5655, Parent PID: 3147

General

Start time (UTC):	05:57:36
Start date (UTC):	06/07/2025
Path:	/bin/fusermount
Arguments:	fusermount -u -q -z -- /run/user/1000/gvfs
File size:	39144 bytes
MD5 hash:	576a1b135c82bdcbc97a91acea900566

Chronological Activities

Analysis Process: Xorg PID: 5669, Parent PID: 1371

General

Start time (UTC):	05:57:36
Start date (UTC):	06/07/2025
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5669, Parent PID: 1371

General

Start time (UTC):	05:57:36
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5670, Parent PID: 5669

General

Start time (UTC):	05:57:36
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5670, Parent PID: 5669

General

Start time (UTC):	05:57:36
Start date (UTC):	06/07/2025
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Chronological Activities

Analysis Process: Xorg PID: 5671, Parent PID: 1371

General

Start time (UTC):	05:57:37
Start date (UTC):	06/07/2025
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5671, Parent PID: 1371

General

Start time (UTC):	05:57:37
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5672, Parent PID: 5671

General

Start time (UTC):	05:57:37
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5672, Parent PID: 5671

General

Start time (UTC):	05:57:37
Start date (UTC):	06/07/2025
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report morte.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/init.d/sysd

/tmp/qemu-open.r8n8dl (deleted)

/tmp/server-0.xkm

/tmp/server-0.xkm (deleted)

/usr/bin/.sh

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

System Behavior

Analysis Process: morte.ppc.elf PID: 5632, Parent PID: 5550

General

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5634, Parent PID: 5632

General

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5636, Parent PID: 5634

General

Chronological Activities

Analysis Process: morte.ppc.elf PID: 5642, Parent PID: 5636

General

Chronological Activities

Linux Analysis Report
morte.ppc.elf