Linux Analysis Report mirkatclpb.arm

Overview

General Information

Sample Name:	mirkatclpb.arm
Analysis ID:	491830
MD5:	f11d4deb3dc156310b53b21e22c5663a
SHA1:	f785ac4c47b99459a8ce236aa76df115af76dd7f
SHA256:	64e0601e1a0a1bb7f8f170ea14efa55b1f17aaefad94edf0b96cfdbebeb689e8
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46262
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46262
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:50944
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:50944
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51036
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51036
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51094
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51138
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46488
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46488
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34680
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34200
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51182
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51182
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54842
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54842
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54864
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54864
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54870
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54870
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51216
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54900
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54900
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41368 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51244
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51244
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41376 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54930
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54930
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34798
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38080
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38080
Source: Traffic	Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:41416 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54954
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54954
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51308
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:41442 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46644
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46644
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54986
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54986
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41458 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38130
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51350
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51350
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38146
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51366
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34904
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38188
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38188
Source: Traffic	Snort IDS: 716 INFO TELNET access 197.230.97.166:23 -> 192.168.2.23:39634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34438
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34438
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38202
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38202
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38258
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.101.239.225:23 -> 192.168.2.23:54246
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:35022
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38316
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38316
Source: Traffic	Snort IDS: 716 INFO TELNET access 197.230.97.166:23 -> 192.168.2.23:39776

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57786

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:58880 -> 178.17.171.119:1312

Sample listens on a socket

Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 5262)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5262)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5357)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5357)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5359)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5359)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 178.17.171.119
Source: unknown	TCP traffic detected without corresponding DNS query: 157.244.232.49
Source: unknown	TCP traffic detected without corresponding DNS query: 16.97.27.49
Source: unknown	TCP traffic detected without corresponding DNS query: 167.9.80.221
Source: unknown	TCP traffic detected without corresponding DNS query: 120.147.64.147
Source: unknown	TCP traffic detected without corresponding DNS query: 186.26.214.182
Source: unknown	TCP traffic detected without corresponding DNS query: 174.156.200.69
Source: unknown	TCP traffic detected without corresponding DNS query: 177.189.106.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.54.70.123
Source: unknown	TCP traffic detected without corresponding DNS query: 251.216.174.83
Source: unknown	TCP traffic detected without corresponding DNS query: 242.55.149.52
Source: unknown	TCP traffic detected without corresponding DNS query: 123.1.221.60
Source: unknown	TCP traffic detected without corresponding DNS query: 222.73.47.199
Source: unknown	TCP traffic detected without corresponding DNS query: 192.33.255.19
Source: unknown	TCP traffic detected without corresponding DNS query: 34.163.178.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.203.225
Source: unknown	TCP traffic detected without corresponding DNS query: 34.43.160.4
Source: unknown	TCP traffic detected without corresponding DNS query: 162.214.84.250
Source: unknown	TCP traffic detected without corresponding DNS query: 44.233.22.48
Source: unknown	TCP traffic detected without corresponding DNS query: 222.223.18.206
Source: unknown	TCP traffic detected without corresponding DNS query: 14.181.67.143
Source: unknown	TCP traffic detected without corresponding DNS query: 255.126.135.108
Source: unknown	TCP traffic detected without corresponding DNS query: 242.202.103.217
Source: unknown	TCP traffic detected without corresponding DNS query: 208.61.6.39
Source: unknown	TCP traffic detected without corresponding DNS query: 5.167.107.2
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.99.172
Source: unknown	TCP traffic detected without corresponding DNS query: 40.116.49.252
Source: unknown	TCP traffic detected without corresponding DNS query: 251.195.164.19
Source: unknown	TCP traffic detected without corresponding DNS query: 151.201.57.149
Source: unknown	TCP traffic detected without corresponding DNS query: 161.239.178.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.255.179.129
Source: unknown	TCP traffic detected without corresponding DNS query: 190.113.190.218
Source: unknown	TCP traffic detected without corresponding DNS query: 128.20.146.8
Source: unknown	TCP traffic detected without corresponding DNS query: 158.226.127.73
Source: unknown	TCP traffic detected without corresponding DNS query: 223.251.207.176
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.81.87.166
Source: unknown	TCP traffic detected without corresponding DNS query: 16.177.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.212.42.214
Source: unknown	TCP traffic detected without corresponding DNS query: 205.227.206.146
Source: unknown	TCP traffic detected without corresponding DNS query: 130.227.21.218
Source: unknown	TCP traffic detected without corresponding DNS query: 122.28.41.35
Source: unknown	TCP traffic detected without corresponding DNS query: 109.9.22.37
Source: unknown	TCP traffic detected without corresponding DNS query: 165.129.204.87
Source: unknown	TCP traffic detected without corresponding DNS query: 245.32.54.73
Source: unknown	TCP traffic detected without corresponding DNS query: 74.154.55.160
Source: unknown	TCP traffic detected without corresponding DNS query: 9.109.62.135
Source: unknown	TCP traffic detected without corresponding DNS query: 2.184.102.57
Source: unknown	TCP traffic detected without corresponding DNS query: 157.38.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 65.8.95.139

Source: mirkatclpb.arm

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5233, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5231, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5237, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5262, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5357, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5227, result: unknown	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	SIGKILL sent: pid: 936, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5233, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5231, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5237, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5262, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5357, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5227, result: unknown	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	SIGKILL sent: pid: 936, result: successful	Jump to behavior

Source: classification engine

Classification label: mal68.spre.troj.evad.linARM@0/6@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5262/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57786

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/mirkatclpb.arm (PID: 5225)

Queries kernel information via 'uname':

Jump to behavior

Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: Uu-binfmt/arm/0!/proc/1654/fd/3!/proc/5251/exe/arm/pro1/usr/bin/qemu-armrm/0!/proc/1654/fd/4!/proc/5250/fd/14arm/pro1
Source: mirkatclpb.arm, 5225.1.000000006ea636fc.00000000c45ccceb.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: U!/proc/5258/fd/..arm/pro1/usr/bin/vmtoolsdrm/
Source: mirkatclpb.arm, 5225.1.000000000d06bf85.00000000e32b960c.rw-.sdmp	Binary or memory string: Bx86_64/usr/bin/qemu-arm/tmp/mirkatclpb.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mirkatclpb.arm
Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mirkatclpb.arm, 5225.1.000000006ea636fc.00000000c45ccceb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: mirkatclpb.arm, 5225.1.000000000d06bf85.00000000e32b960c.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.31.71.244	unknown	Belgium	6871	PLUSNETUKInternetServiceProviderGB	false
166.29.74.82	unknown	United States	206	CSC-IGN-AMERUS	false
14.143.23.189	unknown	India	4755	TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISP	false
200.152.162.49	unknown	Brazil	28122	VerizonMediadoBrasilInternetLtdaBR	false
206.67.127.12	unknown	United States	701	UUNETUS	false
158.34.190.147	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
247.118.145.156	unknown	Reserved	unknown	unknown	false
23.179.6.168	unknown	Reserved	63297	PACIFIC-SERVERSCA	false
202.236.115.3	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
245.114.66.174	unknown	Reserved	unknown	unknown	false
87.81.175.34	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
188.97.180.64	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
159.173.54.239	unknown	France	28686	AVECTRIS-ASCH	false
188.248.166.141	unknown	Saudi Arabia	48695	ATHEEB-ASSA	false
253.254.231.181	unknown	Reserved	unknown	unknown	false
102.241.34.87	unknown	Tunisia	36926	CKL1-ASNKE	false
57.67.217.115	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
197.131.99.208	unknown	Morocco	6713	IAM-ASMA	false
14.139.237.177	unknown	India	55824	NKN-CORE-NWNKNCoreNetworkIN	false
173.70.19.51	unknown	United States	701	UUNETUS	false
102.114.79.239	unknown	Mauritius	23889	MauritiusTelecomMU	false
139.196.56.182	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
73.207.81.45	unknown	United States	7922	COMCAST-7922US	false
194.128.173.25	unknown	United Kingdom	702	UUNETUS	false
242.249.209.192	unknown	Reserved	unknown	unknown	false
87.51.208.65	unknown	Denmark	3292	TDCTDCASDK	false
63.148.159.88	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
2.103.215.131	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
108.243.173.4	unknown	United States	7018	ATT-INTERNET4US	false
207.90.126.129	unknown	United States	7321	LNET-ASNUS	false
193.245.131.64	unknown	Belgium	3549	LVLT-3549US	false
242.63.95.89	unknown	Reserved	unknown	unknown	false
195.229.184.171	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
180.170.25.215	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
174.64.2.29	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
86.52.29.10	unknown	Denmark	197288	STOFANETDK	false
254.91.231.74	unknown	Reserved	unknown	unknown	false
246.141.80.184	unknown	Reserved	unknown	unknown	false
36.90.232.64	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
135.205.221.76	unknown	United States	6431	ATT-RESEARCHUS	false
250.51.173.213	unknown	Reserved	unknown	unknown	false
84.116.116.140	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
69.90.190.99	unknown	Canada	13768	COGECO-PEER1CA	false
157.72.178.5	unknown	Japan	131932	JEIS-NETJREastInformationSystemsCompanyJP	false
110.125.97.65	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
20.21.196.35	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
125.73.254.169	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
1.99.146.64	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
206.9.187.110	unknown	United States	5006	VOYANTUS	false
65.201.108.229	unknown	United States	701	UUNETUS	false
179.48.209.102	unknown	unknown	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
59.166.150.107	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
120.161.3.29	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
170.73.197.190	unknown	United States	16761	FEDMOG-ASN-01US	false
23.42.205.247	unknown	United States	16625	AKAMAI-ASUS	false
17.103.205.219	unknown	United States	714	APPLE-ENGINEERINGUS	false
66.147.85.178	unknown	United States	7029	WINDSTREAMUS	false
102.74.168.118	unknown	Morocco	6713	IAM-ASMA	false
149.210.199.62	unknown	Netherlands	20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
221.248.80.1	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
60.16.183.22	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
107.134.158.250	unknown	United States	7018	ATT-INTERNET4US	false
202.200.196.12	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
184.5.225.222	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
151.246.218.21	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
117.219.36.68	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
220.138.36.103	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
16.225.121.0	unknown	United States	unknown	unknown	false
66.12.192.156	unknown	United States	5650	FRONTIER-FRTRUS	false
106.90.12.33	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
216.46.212.245	unknown	United States	19945	GRANBURYISDUS	false
146.123.208.124	unknown	United States	2158	HPESUS	false
250.53.18.17	unknown	Reserved	unknown	unknown	false
159.201.91.21	unknown	United States	1906	NORTHROP-GRUMMANUS	false
165.133.204.80	unknown	Korea Republic of	4961	DISC-AS-KRDaewooInformationSystemsKR	false
31.61.177.115	unknown	Poland	5617	TPNETPL	false
204.233.222.220	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
47.90.213.32	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
12.50.93.239	unknown	United States	7018	ATT-INTERNET4US	false
140.220.168.137	unknown	United States	600	OARNET-ASUS	false
221.87.174.160	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
217.202.195.230	unknown	Italy	16232	ASN-TIMServiceProviderIT	false
173.80.22.227	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
1.146.71.43	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
217.95.63.172	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
114.253.135.30	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
243.220.176.106	unknown	Reserved	unknown	unknown	false
38.49.227.144	unknown	United States	174	COGENT-174US	false
254.89.164.115	unknown	Reserved	unknown	unknown	false
175.248.208.227	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
95.27.203.251	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
61.32.110.154	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
87.4.93.209	unknown	Italy	3269	ASN-IBSNAZIT	false
158.214.59.15	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
192.248.174.124	unknown	France	20473	AS-CHOOPAUS	false
9.35.128.167	unknown	United States	3356	LEVEL3US	false
143.236.35.245	unknown	United States	3128	BRUWS-AS3128US	false
252.4.195.138	unknown	Reserved	unknown	unknown	false
173.197.253.115	unknown	United States	10796	TWC-10796-MIDWESTUS	false
216.224.227.28	unknown	United States	39948	INIT-PHXUS	false

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46262
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46262
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:50944
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:50944
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51036
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51036
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51094
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51138
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46488
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46488
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34680
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34200
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51182
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51182
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54842
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54842
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54864
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54864
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54870
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54870
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51216
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54900
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54900
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41368 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51244
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51244
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41376 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54930
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54930
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34798
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38080
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38080
Source: Traffic	Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:41416 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54954
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54954
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51308
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:41442 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46644
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46644
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54986
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54986
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41458 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38130
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51350
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51350
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38146
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51366
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34904
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38188
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38188
Source: Traffic	Snort IDS: 716 INFO TELNET access 197.230.97.166:23 -> 192.168.2.23:39634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34438
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34438
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38202
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38202
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38258
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.101.239.225:23 -> 192.168.2.23:54246
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:35022
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38316
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38316
Source: Traffic	Snort IDS: 716 INFO TELNET access 197.230.97.166:23 -> 192.168.2.23:39776

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57786

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:58880 -> 178.17.171.119:1312

Sample listens on a socket

Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 5262)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5262)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5357)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5357)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5359)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5359)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 178.17.171.119
Source: unknown	TCP traffic detected without corresponding DNS query: 157.244.232.49
Source: unknown	TCP traffic detected without corresponding DNS query: 16.97.27.49
Source: unknown	TCP traffic detected without corresponding DNS query: 167.9.80.221
Source: unknown	TCP traffic detected without corresponding DNS query: 120.147.64.147
Source: unknown	TCP traffic detected without corresponding DNS query: 186.26.214.182
Source: unknown	TCP traffic detected without corresponding DNS query: 174.156.200.69
Source: unknown	TCP traffic detected without corresponding DNS query: 177.189.106.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.54.70.123
Source: unknown	TCP traffic detected without corresponding DNS query: 251.216.174.83
Source: unknown	TCP traffic detected without corresponding DNS query: 242.55.149.52
Source: unknown	TCP traffic detected without corresponding DNS query: 123.1.221.60
Source: unknown	TCP traffic detected without corresponding DNS query: 222.73.47.199
Source: unknown	TCP traffic detected without corresponding DNS query: 192.33.255.19
Source: unknown	TCP traffic detected without corresponding DNS query: 34.163.178.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.203.225
Source: unknown	TCP traffic detected without corresponding DNS query: 34.43.160.4
Source: unknown	TCP traffic detected without corresponding DNS query: 162.214.84.250
Source: unknown	TCP traffic detected without corresponding DNS query: 44.233.22.48
Source: unknown	TCP traffic detected without corresponding DNS query: 222.223.18.206
Source: unknown	TCP traffic detected without corresponding DNS query: 14.181.67.143
Source: unknown	TCP traffic detected without corresponding DNS query: 255.126.135.108
Source: unknown	TCP traffic detected without corresponding DNS query: 242.202.103.217
Source: unknown	TCP traffic detected without corresponding DNS query: 208.61.6.39
Source: unknown	TCP traffic detected without corresponding DNS query: 5.167.107.2
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.99.172
Source: unknown	TCP traffic detected without corresponding DNS query: 40.116.49.252
Source: unknown	TCP traffic detected without corresponding DNS query: 251.195.164.19
Source: unknown	TCP traffic detected without corresponding DNS query: 151.201.57.149
Source: unknown	TCP traffic detected without corresponding DNS query: 161.239.178.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.255.179.129
Source: unknown	TCP traffic detected without corresponding DNS query: 190.113.190.218
Source: unknown	TCP traffic detected without corresponding DNS query: 128.20.146.8
Source: unknown	TCP traffic detected without corresponding DNS query: 158.226.127.73
Source: unknown	TCP traffic detected without corresponding DNS query: 223.251.207.176
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.81.87.166
Source: unknown	TCP traffic detected without corresponding DNS query: 16.177.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.212.42.214
Source: unknown	TCP traffic detected without corresponding DNS query: 205.227.206.146
Source: unknown	TCP traffic detected without corresponding DNS query: 130.227.21.218
Source: unknown	TCP traffic detected without corresponding DNS query: 122.28.41.35
Source: unknown	TCP traffic detected without corresponding DNS query: 109.9.22.37
Source: unknown	TCP traffic detected without corresponding DNS query: 165.129.204.87
Source: unknown	TCP traffic detected without corresponding DNS query: 245.32.54.73
Source: unknown	TCP traffic detected without corresponding DNS query: 74.154.55.160
Source: unknown	TCP traffic detected without corresponding DNS query: 9.109.62.135
Source: unknown	TCP traffic detected without corresponding DNS query: 2.184.102.57
Source: unknown	TCP traffic detected without corresponding DNS query: 157.38.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 65.8.95.139

Source: mirkatclpb.arm

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5233, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5231, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5237, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5262, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5357, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5227, result: unknown	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	SIGKILL sent: pid: 936, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5233, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5231, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5237, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5262, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5357, result: successful	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5227, result: unknown	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	SIGKILL sent: pid: 936, result: successful	Jump to behavior

Source: classification engine

Classification label: mal68.spre.troj.evad.linARM@0/6@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5262/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5262/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5260/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5258/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5259/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57786

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/mirkatclpb.arm (PID: 5225)

Queries kernel information via 'uname':

Jump to behavior

Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: Uu-binfmt/arm/0!/proc/1654/fd/3!/proc/5251/exe/arm/pro1/usr/bin/qemu-armrm/0!/proc/1654/fd/4!/proc/5250/fd/14arm/pro1
Source: mirkatclpb.arm, 5225.1.000000006ea636fc.00000000c45ccceb.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: U!/proc/5258/fd/..arm/pro1/usr/bin/vmtoolsdrm/
Source: mirkatclpb.arm, 5225.1.000000000d06bf85.00000000e32b960c.rw-.sdmp	Binary or memory string: Bx86_64/usr/bin/qemu-arm/tmp/mirkatclpb.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mirkatclpb.arm
Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mirkatclpb.arm, 5225.1.000000006ea636fc.00000000c45ccceb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: mirkatclpb.arm, 5225.1.000000000d06bf85.00000000e32b960c.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	491830
Product:	CloudBasic
Start time:	23:50:38
Start date:	27.09.2021
Sample:	mirkatclpb.arm
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f11d4deb3dc156310b53b21e22c5663a
SHA1:	f785ac4c47b99459a8ce236aa76df115af76dd7f
SHA256:	64e0601e1a0a1bb7f8f170ea14efa55b1f17aaefad94edf0b96cfdbebeb689e8
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/5262/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/5357/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/5359/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	D58EE3FB1678D38519A28E681026FE91	DA5269859F42E02B8C6E870022B15E6656B7C425	E42E7906AE58FC4C8B70F912EC415D0FB2A49A3F54C9FB9D84C66731A1ED0DE6

Linux Analysis Report mirkatclpb.arm

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs