Loading ...

Play interactive tourEdit tour

Linux Analysis Report s54l0GKMh9

Overview

General Information

Sample Name:s54l0GKMh9
Analysis ID:452440
MD5:1a11fb2e59573ff9c8461a5998496ec4
SHA1:0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Opens /sys/class/net/* files useful for querying network interface information
Sample is packed with UPX
Sample tries to kill many processes (SIGKILL)
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Reads system information from the proc file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452440
Start date:22.07.2021
Start time:11:08:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 40s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:s54l0GKMh9
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal80.spre.troj.spyw.evad.lin@0/8@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.19, 91.189.92.39, 91.189.92.41, 91.189.92.38, 91.189.92.40, 91.189.92.20
  • Excluded domains from analysis (whitelisted): api.snapcraft.io
  • Report size exceeded maximum capacity and may have missing network information.

Process Tree

  • system is lnxubuntu1
  • s54l0GKMh9 (PID: 4589, Parent: 4518, MD5: 1a11fb2e59573ff9c8461a5998496ec4) Arguments: /usr/bin/qemu-mipsel /tmp/s54l0GKMh9
  • systemd New Fork (PID: 4619, Parent: 1)
  • sshd (PID: 4619, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • systemd New Fork (PID: 4634, Parent: 1)
  • NetworkManager (PID: 4634, Parent: 1, MD5: 43dcb4efce9c2c522442ae62538bf659) Arguments: /usr/sbin/NetworkManager --no-daemon
  • systemd New Fork (PID: 4648, Parent: 1)
  • nm-online (PID: 4648, Parent: 1, MD5: ac72f7c256e548d273a5133a245a1638) Arguments: /usr/bin/nm-online -s -q --timeout=30
  • systemd New Fork (PID: 4661, Parent: 1)
  • nm-dispatcher (PID: 4661, Parent: 1, MD5: 7d4ef829ade49b564256f3f295f9c826) Arguments: /usr/lib/NetworkManager/nm-dispatcher
    • 01ifupdown (PID: 4678, Parent: 4661, MD5: 299819a8e64f00a1edbdfc99d05a8594) Arguments: /bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname
  • systemd New Fork (PID: 4674, Parent: 1)
  • systemd-hostnamed (PID: 4674, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed
  • systemd New Fork (PID: 4699, Parent: 1)
  • snapd (PID: 4699, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd
  • systemd New Fork (PID: 4718, Parent: 1)
  • iscsiadm (PID: 4718, Parent: 1, MD5: b9363fe8099be776e324a481e209d7c4) Arguments: /sbin/iscsiadm -k 0 2
  • systemd New Fork (PID: 4742, Parent: 1)
  • sshd (PID: 4742, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • systemd New Fork (PID: 4794, Parent: 1)
  • systemd-hostnamed (PID: 4794, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed
  • systemd New Fork (PID: 4816, Parent: 1)
  • snapd (PID: 4816, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd
  • systemd New Fork (PID: 4837, Parent: 1)
  • sshd (PID: 4837, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: s54l0GKMh9Virustotal: Detection: 34%Perma Link
    Source: s54l0GKMh9ReversingLabs: Detection: 39%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.97.173.69: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.239.134.147: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.117.198.127: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.94.73.210: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 96.87.80.167: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.54.146: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.57.194.76: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.40.225: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.146.78: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.128.125.240: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.72.164: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.77.64.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.0.88.236: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56342
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.1.71: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.81.134.100: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.109: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56352
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.187.254.176: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56364
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.252.195.84: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.139.128.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.116.47: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.83.36.251: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.203.64.67: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.108.4: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.245.230.11: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.223.136.125: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.160.159.108: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.42.90.43: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 210.131.34.15: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 112.120.244.105: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.118.92.214: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.54.124.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.94.223.244: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.20.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.136.2: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.74.112: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.159.243.115: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.211.32.232: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.100.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.251.46.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 153.153.224.90: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.110.92.134: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.209.118.120: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.90.167.134: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.50.126: -> 192.168.2.20:
    Source: TrafficSnort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 81.191.234.151: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.206.86.57: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 203.66.251.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.161.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.209.73.145: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.201.149.82: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.35.117.39: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.212.169.207: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.64.108.192: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.68.232.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.193.0.80: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 108.167.73.59: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.60.102.156: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.198.147.179: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.72.75.59: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.116.68: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.168.204.122: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56104
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.94.5.25: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.59.184.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.184.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.56.30.148: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38326
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38326
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 115.255.239.37: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.221.214.38: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56114
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.201.220.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.227.35: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.201.245.80: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.211.102.99: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.163.43.140: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.58.53.174: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.199.98.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.2.108.14: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36318
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36318
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.147: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.180.205: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 160.20.156.111: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56144
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.29.130.127: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.48.120.12: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51128
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.24.156: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.124.168: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 98.220.208.122: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.236.13.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 166.63.204.162: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.239.13.208: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38346
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38346
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 47.94.171.178: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39884
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39884
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.82.47.8: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 80.245.118.35: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.92.148.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.199.215.140: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56220
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.162.167.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.156.58.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.0.242.195: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.210.199.196: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.247.152.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.56.77.9: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.172.73: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.56.157: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.20:54014 -> 14.162.147.40:23
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.93.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.46.172.182: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.87.22.139: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56242
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.76.111.164: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38456
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38456
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.17.174.166: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.11.158.141: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.255.135: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.134.37.225: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.62.143: -> 192.168.2.20:
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 123.175.97.232:23 -> 192.168.2.20:41234
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.215.61.94: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.246.38.135: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.55.124: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.212.34.113: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39990
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39990
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 103.192.163.206: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.78.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.200.215: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 116.50.33.33: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.0.229.180: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.182.10.224: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56260
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.59.11.34: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.246.220: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.15.46.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 220.227.241.118:23 -> 192.168.2.20:40212
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.248.88.123: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.212.231: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.233.145: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38486
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38486
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.213.252.154: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.183.58.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.123.97: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.123.69.197: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.88.159.18: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.94.254: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 150.95.105.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56288
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.133.70.4: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.77.210.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.81.255: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.89.46.66: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 70.95.189.49: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:54082 -> 14.162.147.40:23
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.94.164.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36512
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36512
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.74.179.121: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.65.159.173: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.129.146: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.26.243: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.129.177: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40042
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40042
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.114.74: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.144.196: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56334
    Source: TrafficSnort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51294
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.232.126.54: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.58.2: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.139.109: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.81.101.114: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.169.25: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.250.31.165: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.238.21.5: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.90.235.202: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38570
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38570
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.35.212.27: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.153.79.173: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52746
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.11.172: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 14.141.145.134: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.227.121.117: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56410
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.162.95.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.10.145.228: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52762
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.29.201: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.103.91: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.14.129.151: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.208.31.167: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.170.213: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:54202 -> 14.162.147.40:23
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.225.213.94: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.17.32.41: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 162.0.220.98: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52776
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.239.216.227: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.110.146.25: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.68.181: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.106.12.235: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.255.137.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.155.16.187: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40166
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40166
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.200.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52800
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.250.108: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 196.202.145.94: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56462
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.139.198: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38660
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38660
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.108.245: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52824
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 77.159.171.165: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.49.58.212: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.27.88: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 194.116.33.34: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 205.174.22.7: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.14.14.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.100.20.96: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.236.34.108: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.151.155.125: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.183.200: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52882
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 182.248.109.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.75.198: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52896
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.44.116.205: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.50.200: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 155.4.209.217:23 -> 192.168.2.20:36442
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.108.144: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.174.17.65: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.6.231.170: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52908
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.41.125.188: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.55.191: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.75.84.129: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52918
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 59.128.115.201: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38782
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38782
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.212.55.180: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.131.170: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.46.62: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.187.248: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40300
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40300
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.134.16.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52934
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.93.50.80: -> 192.168.2.20:
    Opens /sys/class/net/* files useful for querying network interface informationShow sources
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/ens160/ueventJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/Jump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/Jump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/ens160/phys_port_idJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/ens160/dev_idJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/lo/phys_port_idJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/lo/dev_idJump to behavior
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44096
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44100
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44102
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44106
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44116
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44122
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44128
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44140
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44156
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44158
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41462
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41466
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41470
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41482
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41486
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41506
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41520
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41534
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41560
    Source: global trafficTCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::23Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::53413Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::80Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::52869Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::37215Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::23Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::53413Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::80Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::52869Jump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::37215Jump to behavior
    Source: /usr/sbin/sshd (PID: 4619)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4619)Socket: [::]::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4742)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4742)Socket: [::]::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4837)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4837)Socket: [::]::22Jump to behavior
    Source: unknownTCP traffic detected without corresponding DNS query: 37.230.137.227
    Source: unknownTCP traffic detected without corresponding DNS query: 94.11.183.235
    Source: unknownTCP traffic detected without corresponding DNS query: 43.228.186.183
    Source: unknownTCP traffic detected without corresponding DNS query: 101.245.81.171
    Source: unknownTCP traffic detected without corresponding DNS query: 192.100.29.235
    Source: unknownTCP traffic detected without corresponding DNS query: 35.81.236.243
    Source: unknownTCP traffic detected without corresponding DNS query: 95.31.193.172
    Source: unknownTCP traffic detected without corresponding DNS query: 31.161.65.250
    Source: unknownTCP traffic detected without corresponding DNS query: 2.188.133.72
    Source: unknownTCP traffic detected without corresponding DNS query: 42.215.143.223
    Source: unknownTCP traffic detected without corresponding DNS query: 81.104.99.249
    Source: unknownTCP traffic detected without corresponding DNS query: 47.254.224.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.112.29.45
    Source: unknownTCP traffic detected without corresponding DNS query: 141.134.239.140
    Source: unknownTCP traffic detected without corresponding DNS query: 118.134.211.41
    Source: unknownTCP traffic detected without corresponding DNS query: 164.172.172.193
    Source: unknownTCP traffic detected without corresponding DNS query: 161.170.8.82
    Source: unknownTCP traffic detected without corresponding DNS query: 142.107.119.49
    Source: unknownTCP traffic detected without corresponding DNS query: 19.44.138.129
    Source: unknownTCP traffic detected without corresponding DNS query: 151.57.1.66
    Source: unknownTCP traffic detected without corresponding DNS query: 74.24.122.189
    Source: unknownTCP traffic detected without corresponding DNS query: 221.0.37.191
    Source: unknownTCP traffic detected without corresponding DNS query: 193.145.245.157
    Source: unknownTCP traffic detected without corresponding DNS query: 159.216.86.202
    Source: unknownTCP traffic detected without corresponding DNS query: 169.95.182.113
    Source: unknownTCP traffic detected without corresponding DNS query: 98.168.21.251
    Source: unknownTCP traffic detected without corresponding DNS query: 203.103.124.207
    Source: unknownTCP traffic detected without corresponding DNS query: 178.18.221.8
    Source: unknownTCP traffic detected without corresponding DNS query: 126.252.109.132
    Source: unknownTCP traffic detected without corresponding DNS query: 1.84.180.138
    Source: unknownTCP traffic detected without corresponding DNS query: 91.232.79.124
    Source: unknownTCP traffic detected without corresponding DNS query: 178.118.235.5
    Source: unknownTCP traffic detected without corresponding DNS query: 203.159.124.52
    Source: unknownTCP traffic detected without corresponding DNS query: 179.254.87.123
    Source: unknownTCP traffic detected without corresponding DNS query: 106.154.192.213
    Source: unknownTCP traffic detected without corresponding DNS query: 45.183.83.195
    Source: unknownTCP traffic detected without corresponding DNS query: 98.97.137.140
    Source: unknownTCP traffic detected without corresponding DNS query: 252.19.172.233
    Source: unknownTCP traffic detected without corresponding DNS query: 203.188.181.148
    Source: unknownTCP traffic detected without corresponding DNS query: 13.211.246.7
    Source: unknownTCP traffic detected without corresponding DNS query: 162.140.123.190
    Source: unknownTCP traffic detected without corresponding DNS query: 16.60.67.57
    Source: unknownTCP traffic detected without corresponding DNS query: 240.157.238.207
    Source: unknownTCP traffic detected without corresponding DNS query: 166.188.169.2
    Source: unknownTCP traffic detected without corresponding DNS query: 182.18.85.29
    Source: unknownTCP traffic detected without corresponding DNS query: 114.34.19.155
    Source: unknownTCP traffic detected without corresponding DNS query: 246.180.130.239
    Source: unknownTCP traffic detected without corresponding DNS query: 217.53.192.25
    Source: unknownTCP traffic detected without corresponding DNS query: 252.224.142.166
    Source: unknownTCP traffic detected without corresponding DNS query: 38.159.94.88
    Source: s54l0GKMh9String found in binary or memory: http://upx.sf.net

    System Summary:

    barindex
    Sample tries to kill many processes (SIGKILL)Show sources
    Source: /tmp/s54l0GKMh9 (PID: 4606)SIGKILL sent: pid: 1339, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4606, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1059, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1065, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1091, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1362, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1363, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3289, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3308, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3484, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3491, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3496, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3501, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3596, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3601, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3606, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3611, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3616, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3790, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3791, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4614, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4619, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4634, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4699, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4742, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4611, result: successfulJump to behavior
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: /tmp/s54l0GKMh9 (PID: 4606)SIGKILL sent: pid: 1339, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4606, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1059, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1065, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1091, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1362, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1363, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3289, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3308, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3484, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3491, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3496, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3501, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3596, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3601, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3606, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3611, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3616, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3790, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3791, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4614, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4619, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4634, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4699, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4742, result: successfulJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4611, result: successfulJump to behavior
    Source: classification engineClassification label: mal80.spre.troj.spyw.evad.lin@0/8@0/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /usr/sbin/NetworkManager (PID: 4634)Directory: /root/.cacheJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1091/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1065/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1084/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1095/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/550/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/496/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1017/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1059/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1024/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1145/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/535/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1078/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1155/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1119/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1339/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1065/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1065/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1065/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3484/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3484/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3484/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4606/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4606/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4608/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4608/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4608/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1059/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1059/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1059/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/514/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/519/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3496/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3496/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3496/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/exeJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fdJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4699)Reads from proc file: /proc/sys/net/core/somaxconnJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4699)Reads from proc file: /proc/sys/kernel/hostnameJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4816)Reads from proc file: /proc/sys/net/core/somaxconnJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4816)Reads from proc file: /proc/sys/kernel/hostnameJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44096
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44100
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44102
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44106
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44116
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44122
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44128
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44140
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44156
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44158
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41462
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41466
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41470
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41482
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41486
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41506
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41520
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41534
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41560
    Source: /tmp/s54l0GKMh9 (PID: 4589)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4634)Queries kernel information via 'uname': Jump to behavior
    Source: /lib/systemd/systemd-hostnamed (PID: 4674)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4699)Queries kernel information via 'uname': Jump to behavior
    Source: /lib/systemd/systemd-hostnamed (PID: 4794)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4816)Queries kernel information via 'uname': Jump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionHidden Files and Directories1OS Credential Dumping1Security Software Discovery1Remote ServicesNetwork Information Discovery1Exfiltration Over Other Network MediumNon-Standard Port11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452440 Sample: s54l0GKMh9 Startdate: 22/07/2021 Architecture: LINUX Score: 80 33 114.69.243.154, 23 WORLDPHONE-INASNumberforInterdomainRoutingIN India 2->33 35 195.15.200.99 VTX-NETWORKCH Switzerland 2->35 37 98 other IPs or domains 2->37 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Mirai 2->43 45 2 other signatures 2->45 8 s54l0GKMh9 2->8         started        10 systemd NetworkManager 2->10         started        13 systemd nm-dispatcher 2->13         started        15 9 other processes 2->15 signatures3 process4 signatures5 17 s54l0GKMh9 8->17         started        19 s54l0GKMh9 8->19         started        22 s54l0GKMh9 8->22         started        49 Opens /sys/class/net/* files useful for querying network interface information 10->49 24 nm-dispatcher 01ifupdown 13->24         started        process6 signatures7 26 s54l0GKMh9 17->26         started        29 s54l0GKMh9 17->29         started        31 s54l0GKMh9 17->31         started        47 Sample tries to kill many processes (SIGKILL) 19->47 process8 signatures9 51 Sample tries to kill many processes (SIGKILL) 26->51

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    s54l0GKMh934%VirustotalBrowse
    s54l0GKMh939%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.nets54l0GKMh9false
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      106.114.147.23
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      96.203.126.160
      unknownUnited States
      7922COMCAST-7922USfalse
      203.210.130.208
      unknownViet Nam
      45899VNPT-AS-VNVNPTCorpVNfalse
      242.51.200.14
      unknownReserved
      unknownunknownfalse
      69.79.2.213
      unknownUnited States
      23520COLUMBUS-NETWORKSUSfalse
      89.133.164.83
      unknownHungary
      6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
      47.38.71.139
      unknownUnited States
      20115CHARTER-20115USfalse
      218.39.74.160
      unknownKorea Republic of
      9318SKB-ASSKBroadbandCoLtdKRfalse
      223.37.188.117
      unknownKorea Republic of
      9644SKTELECOM-NET-ASSKTelecomKRfalse
      195.15.200.99
      unknownSwitzerland
      12350VTX-NETWORKCHfalse
      59.89.254.145
      unknownIndia
      9829BSNL-NIBNationalInternetBackboneINfalse
      44.43.86.40
      unknownUnited States
      7377UCSDUSfalse
      94.20.234.131
      unknownAzerbaijan
      199731NAKHINTERNET-ISPAZfalse
      160.79.21.199
      unknownUnited States
      24867ADAPT-ASGBfalse
      99.250.223.76
      unknownCanada
      812ROGERS-COMMUNICATIONSCAfalse
      109.124.248.94
      unknownRussian Federation
      35032TAHIONISP-ASRUfalse
      139.240.73.123
      unknownUnited States
      37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
      90.54.152.98
      unknownFrance
      3215FranceTelecom-OrangeFRfalse
      252.134.181.234
      unknownReserved
      unknownunknownfalse
      203.66.61.49
      unknownTaiwan; Republic of China (ROC)
      3462HINETDataCommunicationBusinessGroupTWfalse
      168.236.44.110
      unknownUnited States
      3136STATE-OF-WISCONSIN-AS1USfalse
      200.209.218.229
      unknownBrazil
      4230CLAROSABRfalse
      151.50.163.103
      unknownItaly
      1267ASN-WINDTREIUNETEUfalse
      42.50.47.134
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      252.47.186.21
      unknownReserved
      unknownunknownfalse
      102.200.137.34
      unknownunknown
      36926CKL1-ASNKEfalse
      216.116.80.116
      unknownUnited States
      14010JACKHENRYUSfalse
      189.215.130.159
      unknownMexico
      28538CablemasTelecomunicacionesSAdeCVMXfalse
      152.136.225.31
      unknownChina
      45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompafalse
      198.209.55.33
      unknownUnited States
      26934UNIVERSITY-OF-MISSOURI---COLUMBIAUSfalse
      60.237.160.8
      unknownJapan2518BIGLOBEBIGLOBEIncJPfalse
      193.169.96.22
      unknownRussian Federation
      49510TCV-ASCZfalse
      24.131.135.95
      unknownUnited States
      7922COMCAST-7922USfalse
      153.144.115.36
      unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
      23.190.64.85
      unknownUnited States
      394256CLOUDSINGULARITYCAfalse
      167.4.234.142
      unknownUnited States
      51964ORANGE-BUSINESS-SERVICES-IPSN-ASNFRfalse
      103.120.250.186
      unknownIndia
      17665IN2CABLE-APASNumberofIndusindMediaandcommunicationLtfalse
      160.248.62.37
      unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
      5.51.2.160
      unknownFrance
      5410BOUYGTEL-ISPFRfalse
      125.160.53.234
      unknownIndonesia
      7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDfalse
      142.247.130.1
      unknownSaudi Arabia
      25019SAUDINETSTC-ASSAfalse
      109.248.108.198
      unknownRussian Federation
      28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
      250.106.144.35
      unknownReserved
      unknownunknownfalse
      114.69.243.154
      unknownIndia
      18002WORLDPHONE-INASNumberforInterdomainRoutingINfalse
      163.189.225.254
      unknownAustralia
      55542RMSNET-AS-APRoadsandMaritimeServicesAUfalse
      196.215.73.129
      unknownSouth Africa
      3741ISZAfalse
      98.101.210.191
      unknownUnited States
      11426TWC-11426-CAROLINASUSfalse
      66.66.21.33
      unknownUnited States
      11351TWC-11351-NORTHEASTUSfalse
      250.76.10.0
      unknownReserved
      unknownunknownfalse
      147.116.206.235
      unknownUnited States
      766REDIRISRedIRISAutonomousSystemESfalse
      188.83.167.211
      unknownPortugal
      3243MEO-RESIDENCIALPTfalse
      107.248.194.130
      unknownUnited States
      7018ATT-INTERNET4USfalse
      35.23.30.138
      unknownUnited States
      36375UMICH-AS-5USfalse
      97.146.192.157
      unknownUnited States
      6167CELLCO-PARTUSfalse
      155.41.128.74
      unknownUnited States
      111BOSTONU-ASUSfalse
      32.192.89.13
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      17.41.75.245
      unknownUnited States
      714APPLE-ENGINEERINGUSfalse
      185.205.152.125
      unknownPoland
      205706LEGMANPLfalse
      157.37.76.71
      unknownIndia
      55836RELIANCEJIO-INRelianceJioInfocommLimitedINfalse
      197.100.167.157
      unknownSouth Africa
      3741ISZAfalse
      160.232.244.58
      unknownUnited States
      11259ANGOLATELECOMAOfalse
      152.150.46.109
      unknownUnited Kingdom
      10455LUCENT-CIOUSfalse
      188.211.223.60
      unknownIran (ISLAMIC Republic Of)
      58224TCIIRfalse
      195.97.85.116
      unknownGreece
      3329HOL-GRAthensGreeceGRfalse
      200.130.28.164
      unknownBrazil
      1916AssociacaoRedeNacionaldeEnsinoePesquisaBRfalse
      115.76.248.177
      unknownViet Nam
      7552VIETEL-AS-APViettelGroupVNfalse
      217.215.135.185
      unknownSweden
      3301TELIANET-SWEDENTeliaCompanySEfalse
      161.25.164.196
      unknownChile
      1916AssociacaoRedeNacionaldeEnsinoePesquisaBRfalse
      223.28.184.116
      unknownKorea Republic of
      17597SAEROMNET-AS-KRTBROADSaeromNamdongSeohaebroadcastingKRfalse
      12.243.182.108
      unknownUnited States
      7018ATT-INTERNET4USfalse
      175.114.50.218
      unknownKorea Republic of
      9318SKB-ASSKBroadbandCoLtdKRfalse
      38.95.43.246
      unknownUnited States
      174COGENT-174USfalse
      121.165.152.132
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      180.244.198.4
      unknownIndonesia
      7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDfalse
      176.104.41.175
      unknownUkraine
      41435UNDERNET-AS1UAfalse
      101.184.26.83
      unknownAustralia
      1221ASN-TELSTRATelstraCorporationLtdAUfalse
      211.40.186.144
      unknownKorea Republic of
      3786LGDACOMLGDACOMCorporationKRfalse
      16.108.127.103
      unknownUnited States
      unknownunknownfalse
      32.35.17.51
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      121.33.183.226
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      183.105.180.39
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      95.240.28.160
      unknownItaly
      3269ASN-IBSNAZITfalse
      249.108.201.111
      unknownReserved
      unknownunknownfalse
      37.35.120.99
      unknownSwitzerland
      15600FINECOMQuicklineAGCHfalse
      16.111.181.7
      unknownUnited States
      unknownunknownfalse
      106.199.18.119
      unknownIndia
      45609BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSServicefalse
      245.129.132.24
      unknownReserved
      unknownunknownfalse
      126.208.173.196
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      85.164.4.5
      unknownNorway
      2119TELENOR-NEXTELTelenorNorgeASNOfalse
      62.122.50.178
      unknownRussian Federation
      47530NVTC-ASRUfalse
      196.253.231.70
      unknownSouth Africa
      8094PUKNETZAfalse
      92.242.80.177
      unknownRussian Federation
      8371VIMPELCOM-NNVimpelcomNizhniyNovgorodbranchfixednetwofalse
      211.118.236.136
      unknownKorea Republic of
      3786LGDACOMLGDACOMCorporationKRfalse
      1.58.95.38
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      124.13.77.47
      unknownMalaysia
      4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
      218.223.148.221
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      211.188.255.117
      unknownKorea Republic of
      9644SKTELECOM-NET-ASSKTelecomKRfalse
      89.252.43.211
      unknownUkraine
      31148FREENET_LLCUAfalse
      102.154.176.208
      unknownTunisia
      5438ATI-TNfalse
      147.215.163.231
      unknownFrance
      2439FR-REMUSMANofthePolytechnicumEUfalse


      Runtime Messages

      Command:/tmp/s54l0GKMh9
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:
      Connected To CNC
      Standard Error:

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      VNPT-AS-VNVNPTCorpVNA7X93JRxhpGet hashmaliciousBrowse
      • 113.166.97.119
      XuQRPW44hiGet hashmaliciousBrowse
      • 123.18.19.86
      CefN2XNyFiGet hashmaliciousBrowse
      • 14.170.32.127
      1dqNLZONFYGet hashmaliciousBrowse
      • 113.173.201.220
      7OAzOUL9cdGet hashmaliciousBrowse
      • 123.29.161.171
      iUmNR6tkEdGet hashmaliciousBrowse
      • 14.234.227.130
      SvmxfeZM5ZGet hashmaliciousBrowse
      • 14.165.136.70
      ehn0f1d63MGet hashmaliciousBrowse
      • 14.227.0.49
      qgQgEjI283Get hashmaliciousBrowse
      • 14.163.209.143
      pV4uIDCdSNGet hashmaliciousBrowse
      • 123.30.106.181
      zhPAQB7FPVGet hashmaliciousBrowse
      • 14.167.4.190
      SQCRu7FwjkGet hashmaliciousBrowse
      • 14.178.200.75
      Dvf7OP92yJGet hashmaliciousBrowse
      • 14.188.254.245
      Ebl8uJRI5tGet hashmaliciousBrowse
      • 14.253.31.190
      XBu8Vn3bIMGet hashmaliciousBrowse
      • 113.175.131.153
      Md3k7pepaqGet hashmaliciousBrowse
      • 14.250.168.229
      a1sMR3Vj8oGet hashmaliciousBrowse
      • 14.172.186.10
      8wzyljMmmnGet hashmaliciousBrowse
      • 14.179.21.192
      lq2609LxT8Get hashmaliciousBrowse
      • 113.166.84.52
      Rl9KiguX35Get hashmaliciousBrowse
      • 113.175.218.219
      CHINANET-BACKBONENo31Jin-rongStreetCNz0FwvGSnDFGet hashmaliciousBrowse
      • 218.3.209.122
      D1dU3jQ1IIGet hashmaliciousBrowse
      • 124.175.64.107
      sDwNKSpuhBGet hashmaliciousBrowse
      • 222.214.85.14
      A7X93JRxhpGet hashmaliciousBrowse
      • 14.121.14.117
      8ZJ0cPowTyGet hashmaliciousBrowse
      • 117.67.60.6
      92CRMNlBq8Get hashmaliciousBrowse
      • 113.122.55.88
      XuQRPW44hiGet hashmaliciousBrowse
      • 120.41.157.122
      Taf5zLti30Get hashmaliciousBrowse
      • 14.113.198.126
      5qpsqg7U0GGet hashmaliciousBrowse
      • 106.236.30.71
      LyxN1ckWTWGet hashmaliciousBrowse
      • 182.137.82.39
      U1R7Ed7940Get hashmaliciousBrowse
      • 122.7.204.153
      GEso3CniSkGet hashmaliciousBrowse
      • 121.238.137.180
      BTNNG17tlhGet hashmaliciousBrowse
      • 222.177.200.161
      VGi1EK6T17Get hashmaliciousBrowse
      • 27.25.204.97
      apep.mipsGet hashmaliciousBrowse
      • 222.80.71.247
      U4r9W64doyGet hashmaliciousBrowse
      • 183.20.87.42
      C4PozjQdGEGet hashmaliciousBrowse
      • 117.44.124.210
      kb5IbEJU8cGet hashmaliciousBrowse
      • 222.87.131.215
      CefN2XNyFiGet hashmaliciousBrowse
      • 116.54.173.39
      1dqNLZONFYGet hashmaliciousBrowse
      • 180.140.66.174
      COMCAST-7922USD1dU3jQ1IIGet hashmaliciousBrowse
      • 73.221.68.185
      sDwNKSpuhBGet hashmaliciousBrowse
      • 66.31.123.8
      A7X93JRxhpGet hashmaliciousBrowse
      • 174.160.234.12
      92CRMNlBq8Get hashmaliciousBrowse
      • 96.129.115.21
      XuQRPW44hiGet hashmaliciousBrowse
      • 96.75.11.28
      Taf5zLti30Get hashmaliciousBrowse
      • 73.105.22.60
      5qpsqg7U0GGet hashmaliciousBrowse
      • 50.150.213.54
      LyxN1ckWTWGet hashmaliciousBrowse
      • 73.76.173.103
      VGi1EK6T17Get hashmaliciousBrowse
      • 96.193.32.170
      U4r9W64doyGet hashmaliciousBrowse
      • 76.142.58.