Play interactive tour

Edit tour

Linux Analysis Report mirkatclpb.arm

Overview

General Information

Sample Name:	mirkatclpb.arm
Analysis ID:	491830
MD5:	f11d4deb3dc156310b53b21e22c5663a
SHA1:	f785ac4c47b99459a8ce236aa76df115af76dd7f
SHA256:	64e0601e1a0a1bb7f8f170ea14efa55b1f17aaefad94edf0b96cfdbebeb689e8
Infos:
Most interesting Screenshot:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill many processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491830
Start date:	27.09.2021
Start time:	23:50:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	mirkatclpb.arm
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.spre.troj.evad.linARM@0/6@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100 VT rate limit hit for: /opt/package/joesandbox/database/analysis/491830/sample/mirkatclpb.arm

Process Tree

system is lnxubuntu20

mirkatclpb.arm (PID: 5225, Parent: 5115, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/mirkatclpb.arm

mirkatclpb.arm New Fork (PID: 5227, Parent: 5225)

mirkatclpb.arm New Fork (PID: 5229, Parent: 5225)

mirkatclpb.arm New Fork (PID: 5231, Parent: 5225)

mirkatclpb.arm New Fork (PID: 5233, Parent: 5231)

mirkatclpb.arm New Fork (PID: 5234, Parent: 5231)

mirkatclpb.arm New Fork (PID: 5237, Parent: 5231)

systemd New Fork (PID: 5261, Parent: 1)

sshd (PID: 5261, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5262, Parent: 1)

sshd (PID: 5262, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5356, Parent: 1)

sshd (PID: 5356, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5357, Parent: 1)

sshd (PID: 5357, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 5358, Parent: 1)

sshd (PID: 5358, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5359, Parent: 1)

sshd (PID: 5359, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46262
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46262
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:50944
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:50944
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51036
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51036
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51094
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51138
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46488
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46488
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34680
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34200
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51182
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51182
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54842
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54842
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54864
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54864
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54870
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54870
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51216
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54874
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54874
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54900
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54900
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41368 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51244
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51244
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.23:41376 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54930
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54930
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34798
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38080
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38080
Source: Traffic	Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:41416 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54954
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54954
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51308
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.23:41442 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46644
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46644
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 190.186.58.151:23 -> 192.168.2.23:54986
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 190.186.58.151:23 -> 192.168.2.23:54986
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41458 -> 81.136.190.29:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38130
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51350
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51350
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38146
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 37.122.159.153:23 -> 192.168.2.23:51366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 37.122.159.153:23 -> 192.168.2.23:51366
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:34904
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38188
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38188
Source: Traffic	Snort IDS: 716 INFO TELNET access 197.230.97.166:23 -> 192.168.2.23:39634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 216.123.70.174:23 -> 192.168.2.23:34438
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 216.123.70.174:23 -> 192.168.2.23:34438
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38202
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38202
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 186.65.67.208:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 186.65.67.208:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38258
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.101.239.225:23 -> 192.168.2.23:54246
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.254.23.45:23 -> 192.168.2.23:35022
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 82.166.85.146:23 -> 192.168.2.23:38316
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 82.166.85.146:23 -> 192.168.2.23:38316
Source: Traffic	Snort IDS: 716 INFO TELNET access 197.230.97.166:23 -> 192.168.2.23:39776

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57786

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: global traffic

TCP traffic: 192.168.2.23:58880 -> 178.17.171.119:1312

Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::0
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::53413
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::80
Source: /tmp/mirkatclpb.arm (PID: 5227)	Socket: 0.0.0.0::37215
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::0
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::53413
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::80
Source: /tmp/mirkatclpb.arm (PID: 5233)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 5262)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5262)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5357)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5357)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 5359)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5359)	Socket: [::]::22

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 178.17.171.119
Source: unknown	TCP traffic detected without corresponding DNS query: 157.244.232.49
Source: unknown	TCP traffic detected without corresponding DNS query: 16.97.27.49
Source: unknown	TCP traffic detected without corresponding DNS query: 167.9.80.221
Source: unknown	TCP traffic detected without corresponding DNS query: 120.147.64.147
Source: unknown	TCP traffic detected without corresponding DNS query: 186.26.214.182
Source: unknown	TCP traffic detected without corresponding DNS query: 174.156.200.69
Source: unknown	TCP traffic detected without corresponding DNS query: 177.189.106.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.54.70.123
Source: unknown	TCP traffic detected without corresponding DNS query: 251.216.174.83
Source: unknown	TCP traffic detected without corresponding DNS query: 242.55.149.52
Source: unknown	TCP traffic detected without corresponding DNS query: 123.1.221.60
Source: unknown	TCP traffic detected without corresponding DNS query: 222.73.47.199
Source: unknown	TCP traffic detected without corresponding DNS query: 192.33.255.19
Source: unknown	TCP traffic detected without corresponding DNS query: 34.163.178.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.255.203.225
Source: unknown	TCP traffic detected without corresponding DNS query: 34.43.160.4
Source: unknown	TCP traffic detected without corresponding DNS query: 162.214.84.250
Source: unknown	TCP traffic detected without corresponding DNS query: 44.233.22.48
Source: unknown	TCP traffic detected without corresponding DNS query: 222.223.18.206
Source: unknown	TCP traffic detected without corresponding DNS query: 14.181.67.143
Source: unknown	TCP traffic detected without corresponding DNS query: 255.126.135.108
Source: unknown	TCP traffic detected without corresponding DNS query: 242.202.103.217
Source: unknown	TCP traffic detected without corresponding DNS query: 208.61.6.39
Source: unknown	TCP traffic detected without corresponding DNS query: 5.167.107.2
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.99.172
Source: unknown	TCP traffic detected without corresponding DNS query: 40.116.49.252
Source: unknown	TCP traffic detected without corresponding DNS query: 251.195.164.19
Source: unknown	TCP traffic detected without corresponding DNS query: 151.201.57.149
Source: unknown	TCP traffic detected without corresponding DNS query: 161.239.178.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.255.179.129
Source: unknown	TCP traffic detected without corresponding DNS query: 190.113.190.218
Source: unknown	TCP traffic detected without corresponding DNS query: 128.20.146.8
Source: unknown	TCP traffic detected without corresponding DNS query: 158.226.127.73
Source: unknown	TCP traffic detected without corresponding DNS query: 223.251.207.176
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.122.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.81.87.166
Source: unknown	TCP traffic detected without corresponding DNS query: 16.177.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.212.42.214
Source: unknown	TCP traffic detected without corresponding DNS query: 205.227.206.146
Source: unknown	TCP traffic detected without corresponding DNS query: 130.227.21.218
Source: unknown	TCP traffic detected without corresponding DNS query: 122.28.41.35
Source: unknown	TCP traffic detected without corresponding DNS query: 109.9.22.37
Source: unknown	TCP traffic detected without corresponding DNS query: 165.129.204.87
Source: unknown	TCP traffic detected without corresponding DNS query: 245.32.54.73
Source: unknown	TCP traffic detected without corresponding DNS query: 74.154.55.160
Source: unknown	TCP traffic detected without corresponding DNS query: 9.109.62.135
Source: unknown	TCP traffic detected without corresponding DNS query: 2.184.102.57
Source: unknown	TCP traffic detected without corresponding DNS query: 157.38.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 65.8.95.139

Source: mirkatclpb.arm

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5233, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5231, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5237, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5262, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5357, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5227, result: unknown
Source: /tmp/mirkatclpb.arm (PID: 5233)	SIGKILL sent: pid: 936, result: successful

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5233, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5231, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5237, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5262, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5357, result: successful
Source: /tmp/mirkatclpb.arm (PID: 5227)	SIGKILL sent: pid: 5227, result: unknown
Source: /tmp/mirkatclpb.arm (PID: 5233)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal68.spre.troj.evad.linARM@0/6@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/491/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/793/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/772/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/796/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/774/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/797/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/777/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/799/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/658/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/912/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/759/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/936/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/918/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/1/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/761/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/785/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/884/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/720/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/721/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/788/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/789/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/800/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/801/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/847/fd
Source: /tmp/mirkatclpb.arm (PID: 5233)	File opened: /proc/904/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5262/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5262/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2033/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1582/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2275/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3088/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5260/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1612/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1579/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1699/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1335/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1698/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2028/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1334/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/1576/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2302/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/3236/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2025/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/2146/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5258/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/910/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/5259/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/exe
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd
Source: /tmp/mirkatclpb.arm (PID: 5227)	File opened: /proc/912/fd

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57786

Source: /tmp/mirkatclpb.arm (PID: 5225)

Queries kernel information via 'uname':

Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: Uu-binfmt/arm/0!/proc/1654/fd/3!/proc/5251/exe/arm/pro1/usr/bin/qemu-armrm/0!/proc/1654/fd/4!/proc/5250/fd/14arm/pro1
Source: mirkatclpb.arm, 5225.1.000000006ea636fc.00000000c45ccceb.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: U!/proc/5258/fd/..arm/pro1/usr/bin/vmtoolsdrm/
Source: mirkatclpb.arm, 5225.1.000000000d06bf85.00000000e32b960c.rw-.sdmp	Binary or memory string: Bx86_64/usr/bin/qemu-arm/tmp/mirkatclpb.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mirkatclpb.arm
Source: mirkatclpb.arm, 5227.1.00000000c45ccceb.000000004da30319.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: mirkatclpb.arm, 5225.1.000000006ea636fc.00000000c45ccceb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: mirkatclpb.arm, 5225.1.000000000d06bf85.00000000e32b960c.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Obfuscated Files or Information1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	mirkatclpb.arm	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
213.31.71.244	unknown	Belgium	6871	PLUSNETUKInternetServiceProviderGB	false
166.29.74.82	unknown	United States	206	CSC-IGN-AMERUS	false
14.143.23.189	unknown	India	4755	TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISP	false
200.152.162.49	unknown	Brazil	28122	VerizonMediadoBrasilInternetLtdaBR	false
206.67.127.12	unknown	United States	701	UUNETUS	false
158.34.190.147	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
247.118.145.156	unknown	Reserved	unknown	unknown	false
23.179.6.168	unknown	Reserved	63297	PACIFIC-SERVERSCA	false
202.236.115.3	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
245.114.66.174	unknown	Reserved	unknown	unknown	false
87.81.175.34	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
188.97.180.64	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
159.173.54.239	unknown	France	28686	AVECTRIS-ASCH	false
188.248.166.141	unknown	Saudi Arabia	48695	ATHEEB-ASSA	false
253.254.231.181	unknown	Reserved	unknown	unknown	false
102.241.34.87	unknown	Tunisia	36926	CKL1-ASNKE	false
57.67.217.115	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
197.131.99.208	unknown	Morocco	6713	IAM-ASMA	false
14.139.237.177	unknown	India	55824	NKN-CORE-NWNKNCoreNetworkIN	false
173.70.19.51	unknown	United States	701	UUNETUS	false
102.114.79.239	unknown	Mauritius	23889	MauritiusTelecomMU	false
139.196.56.182	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
73.207.81.45	unknown	United States	7922	COMCAST-7922US	false
194.128.173.25	unknown	United Kingdom	702	UUNETUS	false
242.249.209.192	unknown	Reserved	unknown	unknown	false
87.51.208.65	unknown	Denmark	3292	TDCTDCASDK	false
63.148.159.88	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
2.103.215.131	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
108.243.173.4	unknown	United States	7018	ATT-INTERNET4US	false
207.90.126.129	unknown	United States	7321	LNET-ASNUS	false
193.245.131.64	unknown	Belgium	3549	LVLT-3549US	false
242.63.95.89	unknown	Reserved	unknown	unknown	false
195.229.184.171	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
180.170.25.215	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
174.64.2.29	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
86.52.29.10	unknown	Denmark	197288	STOFANETDK	false
254.91.231.74	unknown	Reserved	unknown	unknown	false
246.141.80.184	unknown	Reserved	unknown	unknown	false
36.90.232.64	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
135.205.221.76	unknown	United States	6431	ATT-RESEARCHUS	false
250.51.173.213	unknown	Reserved	unknown	unknown	false
84.116.116.140	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
69.90.190.99	unknown	Canada	13768	COGECO-PEER1CA	false
157.72.178.5	unknown	Japan	131932	JEIS-NETJREastInformationSystemsCompanyJP	false
110.125.97.65	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
20.21.196.35	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
125.73.254.169	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
1.99.146.64	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
206.9.187.110	unknown	United States	5006	VOYANTUS	false
65.201.108.229	unknown	United States	701	UUNETUS	false
179.48.209.102	unknown	unknown	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
59.166.150.107	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
120.161.3.29	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
170.73.197.190	unknown	United States	16761	FEDMOG-ASN-01US	false
23.42.205.247	unknown	United States	16625	AKAMAI-ASUS	false
17.103.205.219	unknown	United States	714	APPLE-ENGINEERINGUS	false
66.147.85.178	unknown	United States	7029	WINDSTREAMUS	false
102.74.168.118	unknown	Morocco	6713	IAM-ASMA	false
149.210.199.62	unknown	Netherlands	20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
221.248.80.1	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
60.16.183.22	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
107.134.158.250	unknown	United States	7018	ATT-INTERNET4US	false
202.200.196.12	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
184.5.225.222	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
151.246.218.21	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
117.219.36.68	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
220.138.36.103	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
16.225.121.0	unknown	United States	unknown	unknown	false
66.12.192.156	unknown	United States	5650	FRONTIER-FRTRUS	false
106.90.12.33	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
216.46.212.245	unknown	United States	19945	GRANBURYISDUS	false
146.123.208.124	unknown	United States	2158	HPESUS	false
250.53.18.17	unknown	Reserved	unknown	unknown	false
159.201.91.21	unknown	United States	1906	NORTHROP-GRUMMANUS	false
165.133.204.80	unknown	Korea Republic of	4961	DISC-AS-KRDaewooInformationSystemsKR	false
31.61.177.115	unknown	Poland	5617	TPNETPL	false
204.233.222.220	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
47.90.213.32	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
12.50.93.239	unknown	United States	7018	ATT-INTERNET4US	false
140.220.168.137	unknown	United States	600	OARNET-ASUS	false
221.87.174.160	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
217.202.195.230	unknown	Italy	16232	ASN-TIMServiceProviderIT	false
173.80.22.227	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
1.146.71.43	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
217.95.63.172	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
114.253.135.30	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
243.220.176.106	unknown	Reserved	unknown	unknown	false
38.49.227.144	unknown	United States	174	COGENT-174US	false
254.89.164.115	unknown	Reserved	unknown	unknown	false
175.248.208.227	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
95.27.203.251	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
61.32.110.154	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
87.4.93.209	unknown	Italy	3269	ASN-IBSNAZIT	false
158.214.59.15	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
192.248.174.124	unknown	France	20473	AS-CHOOPAUS	false
9.35.128.167	unknown	United States	3356	LEVEL3US	false
143.236.35.245	unknown	United States	3128	BRUWS-AS3128US	false
252.4.195.138	unknown	Reserved	unknown	unknown	false
173.197.253.115	unknown	United States	10796	TWC-10796-MIDWESTUS	false
216.224.227.28	unknown	United States	39948	INIT-PHXUS	false

Runtime Messages

Command:	/tmp/mirkatclpb.arm
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CSC-IGN-AMERUS	soramrk.arm7	Get hash	malicious	Browse	166.18.138.122
	4czqYWTUq8	Get hash	malicious	Browse	166.28.2.6
	dark.x86	Get hash	malicious	Browse	166.24.237.116
	sora.x86	Get hash	malicious	Browse	20.137.104.111
	jew.x86	Get hash	malicious	Browse	166.26.105.225
	RIkJg4Hr71	Get hash	malicious	Browse	166.25.76.134
	sora.x86	Get hash	malicious	Browse	20.132.107.100
	sora.arm	Get hash	malicious	Browse	166.25.76.133
	ayx5kFWYmZ	Get hash	malicious	Browse	20.137.104.115
	x86_64	Get hash	malicious	Browse	166.29.182.33
	4nLik56DrD	Get hash	malicious	Browse	166.26.55.116
	b3astmode.arm7	Get hash	malicious	Browse	166.26.55.112
	x86	Get hash	malicious	Browse	166.17.196.159
	K6s3wEt8Ua	Get hash	malicious	Browse	166.26.55.100
	r6ZMm6XiWc	Get hash	malicious	Browse	166.18.138.185
	M2hPt9E5Fk	Get hash	malicious	Browse	166.28.244.239
	RYlggrmClJ	Get hash	malicious	Browse	166.29.98.78
	vWV3GzP3vR	Get hash	malicious	Browse	166.24.102.124
	vHVNRpNhIs	Get hash	malicious	Browse	20.132.231.166
	1isequal9.x86	Get hash	malicious	Browse	166.29.121.84
PLUSNETUKInternetServiceProviderGB	8LdKQIRfZG	Get hash	malicious	Browse	91.125.96.99
	soramrk.arm7	Get hash	malicious	Browse	195.213.49.51
	R4j2V50iCQ	Get hash	malicious	Browse	81.141.31.72
	VRVgDYWUED	Get hash	malicious	Browse	84.92.157.60
	PNv1wwpUow	Get hash	malicious	Browse	80.229.218.105
	sora.x86	Get hash	malicious	Browse	209.93.111.137
	UnHAnaAW.x86	Get hash	malicious	Browse	31.185.55.182
	TsHIdFKafF	Get hash	malicious	Browse	84.92.108.96
	I6l48v5NQD	Get hash	malicious	Browse	81.141.79.14
	BLBHEA8knd	Get hash	malicious	Browse	84.92.157.59
	Wrg7vnHm5A	Get hash	malicious	Browse	195.166.145.100
	uxHuQqDuZc	Get hash	malicious	Browse	195.99.43.175
	b3astmode.arm	Get hash	malicious	Browse	84.93.18.172
	aXyZQ9O8iB	Get hash	malicious	Browse	80.229.86.18
	AJK7j832D2	Get hash	malicious	Browse	81.140.202.98
	x86	Get hash	malicious	Browse	195.166.145.114
	arm5	Get hash	malicious	Browse	80.229.2.221
	dark.sh4	Get hash	malicious	Browse	80.229.2.247
	tW7pu9B8A0	Get hash	malicious	Browse	84.93.0.213
	77QZ81W0pZ	Get hash	malicious	Browse	81.141.55.50

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5262/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/proc/5357/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/proc/5359/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:DQe:t
MD5:	D58EE3FB1678D38519A28E681026FE91
SHA1:	DA5269859F42E02B8C6E870022B15E6656B7C425
SHA-256:	E42E7906AE58FC4C8B70F912EC415D0FB2A49A3F54C9FB9D84C66731A1ED0DE6
SHA-512:	DDEA99F3C15931102CF7EAF551FEED190B762F7B597DEF5329CCA576ADD6F5E59885BAAE14D7483BE141B24DBD5D05E2C877DE1C5F978AF60276C28CAC3EBFAC
Malicious:	false
Reputation:	low
Preview:	5359.

Static File Info

General
File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	7.929079875154064
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mirkatclpb.arm
File size:	25004
MD5:	f11d4deb3dc156310b53b21e22c5663a
SHA1:	f785ac4c47b99459a8ce236aa76df115af76dd7f
SHA256:	64e0601e1a0a1bb7f8f170ea14efa55b1f17aaefad94edf0b96cfdbebeb689e8
SHA512:	158581447fc598aa5139b8d93c96b09b82b0b442f6704a4a2fbbe816e8df57e10471899ac9f38d3d34e23d637723d1462e44857db1208b9c57bc507564db18d6
SSDEEP:	768:QX9nxn8o9wnBoWzEQf2EjKb3pWz9s3Uoz2:Qtn+o9wjfBAZWcz2
File Content Preview:	.ELF...a..........(.........4...........4. ...(......................`...`...............^..........................Q.td..............................CvUPX!........0...0.......R..........?.E.h;.}...^..........f.Z.6..(fw....&.x:.E.......oe.`.S..T.......n..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0xcf10
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x60bf	0x60bf	4.0477	0x5	R E	0x8000
LOAD	0x5ee0	0x1dee0	0x1dee0	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 23:51:25.822817087 CEST	58880	1312	192.168.2.23	178.17.171.119
Sep 27, 2021 23:51:25.842024088 CEST	22309	23	192.168.2.23	157.244.232.49
Sep 27, 2021 23:51:25.842102051 CEST	22309	23	192.168.2.23	16.97.27.49
Sep 27, 2021 23:51:25.842128038 CEST	22309	23	192.168.2.23	167.9.80.221
Sep 27, 2021 23:51:25.842230082 CEST	22309	23	192.168.2.23	120.147.64.147
Sep 27, 2021 23:51:25.842252970 CEST	22309	23	192.168.2.23	186.26.214.182
Sep 27, 2021 23:51:25.842281103 CEST	22309	23	192.168.2.23	174.156.200.69
Sep 27, 2021 23:51:25.842297077 CEST	22309	23	192.168.2.23	177.189.106.136
Sep 27, 2021 23:51:25.842309952 CEST	22309	23	192.168.2.23	192.54.70.123
Sep 27, 2021 23:51:25.842312098 CEST	22309	23	192.168.2.23	251.216.174.83
Sep 27, 2021 23:51:25.842339039 CEST	22309	23	192.168.2.23	242.55.149.52
Sep 27, 2021 23:51:25.842456102 CEST	22309	23	192.168.2.23	123.1.221.60
Sep 27, 2021 23:51:25.842466116 CEST	22309	23	192.168.2.23	222.73.47.199
Sep 27, 2021 23:51:25.842482090 CEST	22309	23	192.168.2.23	192.33.255.19
Sep 27, 2021 23:51:25.842483997 CEST	22309	23	192.168.2.23	34.163.178.160
Sep 27, 2021 23:51:25.842485905 CEST	22309	23	192.168.2.23	185.255.203.225
Sep 27, 2021 23:51:25.842516899 CEST	22309	23	192.168.2.23	34.43.160.4
Sep 27, 2021 23:51:25.842523098 CEST	22309	23	192.168.2.23	162.214.84.250
Sep 27, 2021 23:51:25.842525959 CEST	22309	23	192.168.2.23	44.233.22.48
Sep 27, 2021 23:51:25.842526913 CEST	22309	23	192.168.2.23	222.223.18.206
Sep 27, 2021 23:51:25.842539072 CEST	22309	23	192.168.2.23	14.181.67.143
Sep 27, 2021 23:51:25.842555046 CEST	22309	23	192.168.2.23	255.126.135.108
Sep 27, 2021 23:51:25.842565060 CEST	22309	23	192.168.2.23	242.202.103.217
Sep 27, 2021 23:51:25.842583895 CEST	22309	23	192.168.2.23	208.61.6.39
Sep 27, 2021 23:51:25.842658043 CEST	22309	23	192.168.2.23	5.167.107.2
Sep 27, 2021 23:51:25.842688084 CEST	22309	23	192.168.2.23	133.14.99.172
Sep 27, 2021 23:51:25.842688084 CEST	22309	23	192.168.2.23	40.116.49.252
Sep 27, 2021 23:51:25.842704058 CEST	22309	23	192.168.2.23	251.195.164.19
Sep 27, 2021 23:51:25.842773914 CEST	22309	23	192.168.2.23	151.201.57.149
Sep 27, 2021 23:51:25.842814922 CEST	22309	23	192.168.2.23	161.239.178.112
Sep 27, 2021 23:51:25.842833996 CEST	22309	23	192.168.2.23	98.255.179.129
Sep 27, 2021 23:51:25.842853069 CEST	22309	23	192.168.2.23	190.113.190.218
Sep 27, 2021 23:51:25.842868090 CEST	22309	23	192.168.2.23	128.20.146.8
Sep 27, 2021 23:51:25.842895031 CEST	22309	23	192.168.2.23	158.226.127.73
Sep 27, 2021 23:51:25.842911959 CEST	22309	23	192.168.2.23	223.251.207.176
Sep 27, 2021 23:51:25.842942953 CEST	22309	23	192.168.2.23	45.43.122.180
Sep 27, 2021 23:51:25.842962980 CEST	22309	23	192.168.2.23	72.81.87.166
Sep 27, 2021 23:51:25.842967033 CEST	22309	23	192.168.2.23	16.177.38.233
Sep 27, 2021 23:51:25.842993021 CEST	22309	23	192.168.2.23	172.212.42.214
Sep 27, 2021 23:51:25.843008995 CEST	22309	23	192.168.2.23	117.97.110.196
Sep 27, 2021 23:51:25.843055010 CEST	22309	23	192.168.2.23	205.227.206.146
Sep 27, 2021 23:51:25.843055964 CEST	22309	23	192.168.2.23	130.227.21.218
Sep 27, 2021 23:51:25.843066931 CEST	22309	23	192.168.2.23	122.28.41.35
Sep 27, 2021 23:51:25.843080044 CEST	22309	23	192.168.2.23	109.9.22.37
Sep 27, 2021 23:51:25.843111992 CEST	22309	23	192.168.2.23	165.129.204.87
Sep 27, 2021 23:51:25.843156099 CEST	22309	23	192.168.2.23	245.32.54.73
Sep 27, 2021 23:51:25.843180895 CEST	22309	23	192.168.2.23	74.154.55.160
Sep 27, 2021 23:51:25.843194962 CEST	22309	23	192.168.2.23	9.109.62.135
Sep 27, 2021 23:51:25.843199968 CEST	22309	23	192.168.2.23	2.184.102.57
Sep 27, 2021 23:51:25.843205929 CEST	22309	23	192.168.2.23	157.38.170.228
Sep 27, 2021 23:51:25.843206882 CEST	22309	23	192.168.2.23	65.8.95.139
Sep 27, 2021 23:51:25.843215942 CEST	22309	23	192.168.2.23	248.169.206.236
Sep 27, 2021 23:51:25.843226910 CEST	22309	23	192.168.2.23	205.213.64.100
Sep 27, 2021 23:51:25.843254089 CEST	22309	23	192.168.2.23	202.54.68.56
Sep 27, 2021 23:51:25.843297958 CEST	22309	23	192.168.2.23	13.79.119.101
Sep 27, 2021 23:51:25.843344927 CEST	22309	23	192.168.2.23	89.183.187.102
Sep 27, 2021 23:51:25.843365908 CEST	22309	23	192.168.2.23	109.168.100.101
Sep 27, 2021 23:51:25.843384027 CEST	22309	23	192.168.2.23	201.181.33.169
Sep 27, 2021 23:51:25.843393087 CEST	22309	23	192.168.2.23	101.234.19.32
Sep 27, 2021 23:51:25.843447924 CEST	22309	23	192.168.2.23	112.163.199.171
Sep 27, 2021 23:51:25.843461990 CEST	22309	23	192.168.2.23	97.103.84.164
Sep 27, 2021 23:51:25.843478918 CEST	22309	23	192.168.2.23	242.1.216.205
Sep 27, 2021 23:51:25.843492985 CEST	22309	23	192.168.2.23	201.165.156.227
Sep 27, 2021 23:51:25.843518972 CEST	22309	23	192.168.2.23	244.13.0.200
Sep 27, 2021 23:51:25.843540907 CEST	22309	23	192.168.2.23	135.52.67.108
Sep 27, 2021 23:51:25.843576908 CEST	22309	23	192.168.2.23	138.195.13.172
Sep 27, 2021 23:51:25.843589067 CEST	22309	23	192.168.2.23	87.206.18.90
Sep 27, 2021 23:51:25.843599081 CEST	22309	23	192.168.2.23	142.29.211.209
Sep 27, 2021 23:51:25.843611956 CEST	22309	23	192.168.2.23	144.93.68.143
Sep 27, 2021 23:51:25.843631029 CEST	22309	23	192.168.2.23	12.4.233.129
Sep 27, 2021 23:51:25.843714952 CEST	22309	23	192.168.2.23	217.92.5.51
Sep 27, 2021 23:51:25.843770027 CEST	22309	23	192.168.2.23	211.159.114.219
Sep 27, 2021 23:51:25.843827009 CEST	22309	23	192.168.2.23	74.20.185.208
Sep 27, 2021 23:51:25.843830109 CEST	22309	23	192.168.2.23	147.179.174.114
Sep 27, 2021 23:51:25.843831062 CEST	22309	23	192.168.2.23	122.211.250.37
Sep 27, 2021 23:51:25.843857050 CEST	22309	23	192.168.2.23	37.173.187.97
Sep 27, 2021 23:51:25.843858957 CEST	22309	23	192.168.2.23	106.2.178.127
Sep 27, 2021 23:51:25.843859911 CEST	22309	23	192.168.2.23	74.246.87.251
Sep 27, 2021 23:51:25.843863010 CEST	22309	23	192.168.2.23	219.196.157.236
Sep 27, 2021 23:51:25.843864918 CEST	22309	23	192.168.2.23	223.30.92.214
Sep 27, 2021 23:51:25.843867064 CEST	22309	23	192.168.2.23	169.59.70.53
Sep 27, 2021 23:51:25.843890905 CEST	22309	23	192.168.2.23	8.16.191.246
Sep 27, 2021 23:51:25.843892097 CEST	22309	23	192.168.2.23	208.137.107.67
Sep 27, 2021 23:51:25.843957901 CEST	22309	23	192.168.2.23	2.198.211.186
Sep 27, 2021 23:51:25.843966007 CEST	22309	23	192.168.2.23	68.26.243.150
Sep 27, 2021 23:51:25.843975067 CEST	22309	23	192.168.2.23	171.4.2.2
Sep 27, 2021 23:51:25.843974113 CEST	22309	23	192.168.2.23	83.208.109.15
Sep 27, 2021 23:51:25.843975067 CEST	22309	23	192.168.2.23	171.247.226.151
Sep 27, 2021 23:51:25.843975067 CEST	22309	23	192.168.2.23	65.196.160.121
Sep 27, 2021 23:51:25.843998909 CEST	22309	23	192.168.2.23	66.177.255.100
Sep 27, 2021 23:51:25.844001055 CEST	22309	23	192.168.2.23	100.209.99.65
Sep 27, 2021 23:51:25.844008923 CEST	22309	23	192.168.2.23	184.90.69.131
Sep 27, 2021 23:51:25.844008923 CEST	22309	23	192.168.2.23	31.145.155.218
Sep 27, 2021 23:51:25.844008923 CEST	22309	23	192.168.2.23	111.100.154.90
Sep 27, 2021 23:51:25.844010115 CEST	22309	23	192.168.2.23	96.166.55.128
Sep 27, 2021 23:51:25.844014883 CEST	22309	23	192.168.2.23	84.183.124.17
Sep 27, 2021 23:51:25.844048023 CEST	22309	23	192.168.2.23	114.7.51.176
Sep 27, 2021 23:51:25.844049931 CEST	22309	23	192.168.2.23	200.147.212.176
Sep 27, 2021 23:51:25.844063044 CEST	22309	23	192.168.2.23	146.27.47.142
Sep 27, 2021 23:51:25.844064951 CEST	22309	23	192.168.2.23	220.181.27.219

System Behavior

Analysis Process: mirkatclpb.arm PID: 5225 Parent PID: 5115

General

Start time:	23:51:24
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	/tmp/mirkatclpb.arm
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: mirkatclpb.arm PID: 5227 Parent PID: 5225

General

Start time:	23:51:25
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: mirkatclpb.arm PID: 5229 Parent PID: 5225

General

Start time:	23:51:25
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: mirkatclpb.arm PID: 5231 Parent PID: 5225

General

Start time:	23:51:25
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: mirkatclpb.arm PID: 5233 Parent PID: 5231

General

Start time:	23:51:25
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: mirkatclpb.arm PID: 5234 Parent PID: 5231

General

Start time:	23:51:25
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: mirkatclpb.arm PID: 5237 Parent PID: 5231

General

Start time:	23:51:25
Start date:	27/09/2021
Path:	/tmp/mirkatclpb.arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: systemd PID: 5261 Parent PID: 1

General

Start time:	23:51:40
Start date:	27/09/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5261 Parent PID: 1

General

Start time:	23:51:40
Start date:	27/09/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5262 Parent PID: 1

General

Start time:	23:51:42
Start date:	27/09/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5262 Parent PID: 1

General

Start time:	23:51:42
Start date:	27/09/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5356 Parent PID: 1

General

Start time:	23:54:23
Start date:	27/09/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5356 Parent PID: 1

General

Start time:	23:54:23
Start date:	27/09/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5357 Parent PID: 1

General

Start time:	23:54:24
Start date:	27/09/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5357 Parent PID: 1

General

Start time:	23:54:24
Start date:	27/09/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5358 Parent PID: 1

General

Start time:	23:54:26
Start date:	27/09/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5358 Parent PID: 1

General

Start time:	23:54:26
Start date:	27/09/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5359 Parent PID: 1

General

Start time:	23:54:26
Start date:	27/09/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5359 Parent PID: 1

General

Start time:	23:54:26
Start date:	27/09/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report mirkatclpb.arm

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: mirkatclpb.arm PID: 5225 Parent PID: 5115

General

Analysis Process: mirkatclpb.arm PID: 5227 Parent PID: 5225

General

Analysis Process: mirkatclpb.arm PID: 5229 Parent PID: 5225

General

Analysis Process: mirkatclpb.arm PID: 5231 Parent PID: 5225

General

Analysis Process: mirkatclpb.arm PID: 5233 Parent PID: 5231

General

Analysis Process: mirkatclpb.arm PID: 5234 Parent PID: 5231

General

Analysis Process: mirkatclpb.arm PID: 5237 Parent PID: 5231

General

Analysis Process: systemd PID: 5261 Parent PID: 1

General

Analysis Process: sshd PID: 5261 Parent PID: 1

General

Analysis Process: systemd PID: 5262 Parent PID: 1

General

Analysis Process: sshd PID: 5262 Parent PID: 1