Linux Analysis Report SedZv73LJb

Overview

General Information

Sample Name:	SedZv73LJb
Analysis ID:	537271
MD5:	bdc02fe5c4e820cc750d4b5b7280f2cd
SHA1:	d49ff96bbfbd990ffdb4727a809b97eb05bf1c2a
SHA256:	a06645dcacd00b2ffa5db96729241c355e012fa87a2ef16d595a4bac7a7dcd10
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:53452 -> 85.98.33.21:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57658
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57658
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57706
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57706
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.158.20.113:23 -> 192.168.2.23:55176
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57714
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57714
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.158.20.113:23 -> 192.168.2.23:55184
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57738
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57738

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60182 -> 194.85.248.177:9506

Sample listens on a socket

Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /usr/sbin/sshd (PID: 5250)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5250)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 194.85.248.177
Source: unknown	TCP traffic detected without corresponding DNS query: 68.20.73.222
Source: unknown	TCP traffic detected without corresponding DNS query: 53.7.185.222
Source: unknown	TCP traffic detected without corresponding DNS query: 193.19.134.102
Source: unknown	TCP traffic detected without corresponding DNS query: 206.181.171.220
Source: unknown	TCP traffic detected without corresponding DNS query: 208.127.165.164
Source: unknown	TCP traffic detected without corresponding DNS query: 19.133.34.3
Source: unknown	TCP traffic detected without corresponding DNS query: 251.47.7.130
Source: unknown	TCP traffic detected without corresponding DNS query: 197.147.206.60
Source: unknown	TCP traffic detected without corresponding DNS query: 155.23.166.37
Source: unknown	TCP traffic detected without corresponding DNS query: 204.206.114.168
Source: unknown	TCP traffic detected without corresponding DNS query: 141.155.189.87
Source: unknown	TCP traffic detected without corresponding DNS query: 76.120.190.112
Source: unknown	TCP traffic detected without corresponding DNS query: 73.77.62.155
Source: unknown	TCP traffic detected without corresponding DNS query: 111.151.184.31
Source: unknown	TCP traffic detected without corresponding DNS query: 146.209.214.200
Source: unknown	TCP traffic detected without corresponding DNS query: 148.202.143.153
Source: unknown	TCP traffic detected without corresponding DNS query: 168.155.156.21
Source: unknown	TCP traffic detected without corresponding DNS query: 14.222.35.206
Source: unknown	TCP traffic detected without corresponding DNS query: 115.108.236.144
Source: unknown	TCP traffic detected without corresponding DNS query: 162.155.229.204
Source: unknown	TCP traffic detected without corresponding DNS query: 19.70.204.185
Source: unknown	TCP traffic detected without corresponding DNS query: 157.38.15.98
Source: unknown	TCP traffic detected without corresponding DNS query: 109.86.34.71
Source: unknown	TCP traffic detected without corresponding DNS query: 217.180.72.165
Source: unknown	TCP traffic detected without corresponding DNS query: 177.27.67.169
Source: unknown	TCP traffic detected without corresponding DNS query: 166.28.49.108
Source: unknown	TCP traffic detected without corresponding DNS query: 174.37.25.112
Source: unknown	TCP traffic detected without corresponding DNS query: 155.112.238.0
Source: unknown	TCP traffic detected without corresponding DNS query: 38.198.113.148
Source: unknown	TCP traffic detected without corresponding DNS query: 86.184.2.247
Source: unknown	TCP traffic detected without corresponding DNS query: 82.74.127.37
Source: unknown	TCP traffic detected without corresponding DNS query: 106.95.82.87
Source: unknown	TCP traffic detected without corresponding DNS query: 82.159.78.152
Source: unknown	TCP traffic detected without corresponding DNS query: 48.25.188.163
Source: unknown	TCP traffic detected without corresponding DNS query: 194.78.224.129
Source: unknown	TCP traffic detected without corresponding DNS query: 145.11.7.98
Source: unknown	TCP traffic detected without corresponding DNS query: 36.164.103.147
Source: unknown	TCP traffic detected without corresponding DNS query: 18.160.42.126
Source: unknown	TCP traffic detected without corresponding DNS query: 75.134.118.42
Source: unknown	TCP traffic detected without corresponding DNS query: 80.68.229.38
Source: unknown	TCP traffic detected without corresponding DNS query: 207.85.65.225
Source: unknown	TCP traffic detected without corresponding DNS query: 184.84.252.243
Source: unknown	TCP traffic detected without corresponding DNS query: 70.224.215.167
Source: unknown	TCP traffic detected without corresponding DNS query: 48.22.47.40
Source: unknown	TCP traffic detected without corresponding DNS query: 75.91.72.202
Source: unknown	TCP traffic detected without corresponding DNS query: 95.197.174.237
Source: unknown	TCP traffic detected without corresponding DNS query: 12.60.239.205
Source: unknown	TCP traffic detected without corresponding DNS query: 119.160.44.82
Source: unknown	TCP traffic detected without corresponding DNS query: 146.254.139.189

Source: SedZv73LJb

String found in binary or memory: http://upx.sf.net

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Yara signature match

Source: SedZv73LJb, type: SAMPLE	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: 5218.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5226.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5216.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5220.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Sample tries to kill a process (SIGKILL)

Source: /tmp/SedZv73LJb (PID: 5218)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	SIGKILL sent: pid: 5218, result: successful	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	SIGKILL sent: pid: 759, result: successful	Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.lin@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4450/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4450/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4331/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4331/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/5030/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/5030/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1860/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1463/exe	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5258)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FfRdbVixpI /tmp/tmp.30Eql1npMD /tmp/tmp.8ub6rio7wF

Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SedZv73LJb (PID: 5216)

Queries kernel information via 'uname':

Jump to behavior

Source: SedZv73LJb, 5216.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5218.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5220.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5226.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp	Binary or memory string: Mx86_64/usr/bin/qemu-mipsel/tmp/SedZv73LJbSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SedZv73LJb
Source: SedZv73LJb, 5216.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5218.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5220.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5226.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SedZv73LJb, 5216.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5218.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5220.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5226.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SedZv73LJb, 5216.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5218.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5220.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5226.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
117.19.19.122	unknown	Taiwan; Republic of China (ROC)	38197	SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	false
210.103.188.12	unknown	Korea Republic of	9848	SEJONGTELECOM-AS-KRSejongTelecomKR	false
200.158.224.63	unknown	Brazil	27699	TELEFONICABRASILSABR	false
121.146.235.107	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
183.163.75.205	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
118.250.121.154	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
103.40.78.108	unknown	Bangladesh	17941	BIT-ISLEEquinixJpapanEnterpriseKKJP	false
179.141.53.34	unknown	Brazil	53037	NEXTELTELECOMUNICACOESLTDABR	false
172.60.217.202	unknown	United States	21928	T-MOBILE-AS21928US	false
12.245.37.164	unknown	United States	7018	ATT-INTERNET4US	false
193.149.169.50	unknown	Denmark	15411	DANISCODK	false
188.177.15.44	unknown	Denmark	3292	TDCTDCASDK	false
2.240.29.75	unknown	Germany	6805	TDDE-ASN1DE	false
81.24.111.186	unknown	Netherlands	12414	NL-SOLCONSOLCONNL	false
31.113.67.161	unknown	United Kingdom	12576	EELtdGB	false
20.138.253.204	unknown	United States	22562	CSC-IGN-EMEAUS	false
188.247.215.88	unknown	Kazakhstan	21299	KAR-TEL-ASAlmatyRepublicofKazakhstanKZ	false
98.83.39.2	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
211.61.228.167	unknown	Korea Republic of	9457	DREAMX-ASDREAMLINECOKR	false
115.194.167.85	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
244.65.58.1	unknown	Reserved	unknown	unknown	false
124.123.173.97	unknown	India	18209	BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN	false
151.107.46.180	unknown	United States	29066	VELIANET-ASvelianetInternetdiensteGmbHDE	false
135.195.71.230	unknown	United States	14962	NCR-252US	false
27.115.204.179	unknown	Korea Republic of	17871	DIGITALBUSANDONGNAM-AS-KRTBroadKR	false
77.100.21.151	unknown	United Kingdom	5089	NTLGB	false
79.25.116.8	unknown	Italy	3269	ASN-IBSNAZIT	false
39.195.134.246	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
111.199.252.113	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
218.236.172.7	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
176.41.20.117	unknown	Turkey	34984	TELLCOM-ASTR	false
140.238.74.31	unknown	United States	31898	ORACLE-BMC-31898US	false
202.72.89.24	unknown	China	4721	JCNJupiterTelecommunicationsCoLtdJP	false
41.23.225.130	unknown	South Africa	29975	VODACOM-ZA	false
108.219.61.37	unknown	United States	7018	ATT-INTERNET4US	false
24.180.92.208	unknown	United States	20115	CHARTER-20115US	false
58.171.235.85	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
149.216.250.38	unknown	Germany	12422	EVONIK-ASRellinghauserStr1-11DE	false
196.17.156.92	unknown	Seychelles	56611	REBACOM-ASNL	false
40.75.37.239	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
163.181.241.19	unknown	United States	24429	TAOBAOZhejiangTaobaoNetworkCoLtdCN	false
185.221.109.100	unknown	Poland	200534	MSERWIS-ASPL	false
163.108.158.167	unknown	France	3215	FranceTelecom-OrangeFR	false
149.154.90.25	unknown	Italy	57144	ICCREA-ASIT	false
75.116.189.96	unknown	United States	6167	CELLCO-PARTUS	false
121.174.214.230	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
113.218.192.79	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
37.222.28.119	unknown	Spain	12430	VODAFONE_ESES	false
170.171.210.202	unknown	United States	11790	RANDOMHOUSEUS	false
48.207.191.193	unknown	United States	2686	ATGS-MMD-ASUS	false
67.203.209.166	unknown	Puerto Rico	11992	CENTENNIAL-PR	false
194.66.187.63	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
207.104.42.36	unknown	United States	7018	ATT-INTERNET4US	false
68.97.145.241	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
216.115.166.77	unknown	United States	11676	AS11676US	false
86.136.144.174	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
247.112.5.133	unknown	Reserved	unknown	unknown	false
198.198.68.40	unknown	United States	292	ESNET-WESTUS	false
154.7.186.78	unknown	United States	174	COGENT-174US	false
142.70.203.200	unknown	Canada	855	CANET-ASN-4CA	false
146.152.201.30	unknown	United States	197938	TRAVIANGAMESDE	false
248.255.162.154	unknown	Reserved	unknown	unknown	false
170.47.41.0	unknown	United States	22178	PA-SENATEUS	false
124.205.52.227	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
179.187.5.184	unknown	Brazil	18881	TELEFONICABRASILSABR	false
223.175.213.136	unknown	Korea Republic of	17853	LGTELECOM-AS-KRLGTELECOMKR	false
75.102.196.108	unknown	United States	20130	DEPAULUS	false
90.104.27.138	unknown	France	3215	FranceTelecom-OrangeFR	false
44.117.91.202	unknown	United States	7377	UCSDUS	false
247.169.112.139	unknown	Reserved	unknown	unknown	false
45.106.164.142	unknown	Egypt	37069	MOBINILEG	false
95.223.227.166	unknown	Germany	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
113.86.238.36	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
162.96.112.109	unknown	United States	33274	ASN-FAIRVIEWHEALTHSERVICESUS	false
253.127.107.222	unknown	Reserved	unknown	unknown	false
38.211.197.148	unknown	United States	174	COGENT-174US	false
79.253.233.152	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
136.168.31.201	unknown	United States	2152	CSUNET-NWUS	false
207.27.241.90	unknown	United States	701	UUNETUS	false
166.175.198.250	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
14.93.4.20	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
186.222.49.245	unknown	Brazil	28573	CLAROSABR	false
173.94.47.24	unknown	United States	11426	TWC-11426-CAROLINASUS	false
96.64.115.226	unknown	United States	7922	COMCAST-7922US	false
24.251.247.192	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
126.218.65.187	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
8.33.44.166	unknown	United States	46802	ASN-BACKCOUNTRYUS	false
124.50.41.36	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
93.78.94.228	unknown	Ukraine	25229	VOLIA-ASUA	false
175.67.185.235	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
146.1.46.239	unknown	United States	3378	MCI-ASNUS	false
164.13.138.176	unknown	Finland	50195	UMSI	false
141.37.182.63	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
95.118.195.78	unknown	Germany	6805	TDDE-ASN1DE	false
32.212.182.171	unknown	United States	46690	SNET-FCCUS	false
108.172.58.141	unknown	Canada	852	ASN852CA	false
79.83.58.68	unknown	France	15557	LDCOMNETFR	false
182.230.86.39	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
142.23.150.35	unknown	Canada	3633	PROVINCE-OF-BRITISH-COLUMBIACA	false
167.177.246.95	unknown	United States	7800	ALLINA-HEALTH-SYSTEM-INCUS	false

Name	Type	MD5	SHA1	SHA256
/proc/5250/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	251228B89D027A84AC9239BB479F7FD1	CF25590A562FE1FA7E766ADEC3DD6581D12A9398	784FD8846009847E8493CED7F73AB7AD790719F4E036C26C9F7EA83A5C1C6AE1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:53452 -> 85.98.33.21:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57658
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57658
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57706
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57706
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.158.20.113:23 -> 192.168.2.23:55176
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57714
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57714
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.158.20.113:23 -> 192.168.2.23:55184
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57738
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57738

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60182 -> 194.85.248.177:9506

Sample listens on a socket

Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5218)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::81	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::8443	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	Socket: 0.0.0.0::9009	Jump to behavior
Source: /usr/sbin/sshd (PID: 5250)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 5250)	Socket: [::]::22	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 194.85.248.177
Source: unknown	TCP traffic detected without corresponding DNS query: 68.20.73.222
Source: unknown	TCP traffic detected without corresponding DNS query: 53.7.185.222
Source: unknown	TCP traffic detected without corresponding DNS query: 193.19.134.102
Source: unknown	TCP traffic detected without corresponding DNS query: 206.181.171.220
Source: unknown	TCP traffic detected without corresponding DNS query: 208.127.165.164
Source: unknown	TCP traffic detected without corresponding DNS query: 19.133.34.3
Source: unknown	TCP traffic detected without corresponding DNS query: 251.47.7.130
Source: unknown	TCP traffic detected without corresponding DNS query: 197.147.206.60
Source: unknown	TCP traffic detected without corresponding DNS query: 155.23.166.37
Source: unknown	TCP traffic detected without corresponding DNS query: 204.206.114.168
Source: unknown	TCP traffic detected without corresponding DNS query: 141.155.189.87
Source: unknown	TCP traffic detected without corresponding DNS query: 76.120.190.112
Source: unknown	TCP traffic detected without corresponding DNS query: 73.77.62.155
Source: unknown	TCP traffic detected without corresponding DNS query: 111.151.184.31
Source: unknown	TCP traffic detected without corresponding DNS query: 146.209.214.200
Source: unknown	TCP traffic detected without corresponding DNS query: 148.202.143.153
Source: unknown	TCP traffic detected without corresponding DNS query: 168.155.156.21
Source: unknown	TCP traffic detected without corresponding DNS query: 14.222.35.206
Source: unknown	TCP traffic detected without corresponding DNS query: 115.108.236.144
Source: unknown	TCP traffic detected without corresponding DNS query: 162.155.229.204
Source: unknown	TCP traffic detected without corresponding DNS query: 19.70.204.185
Source: unknown	TCP traffic detected without corresponding DNS query: 157.38.15.98
Source: unknown	TCP traffic detected without corresponding DNS query: 109.86.34.71
Source: unknown	TCP traffic detected without corresponding DNS query: 217.180.72.165
Source: unknown	TCP traffic detected without corresponding DNS query: 177.27.67.169
Source: unknown	TCP traffic detected without corresponding DNS query: 166.28.49.108
Source: unknown	TCP traffic detected without corresponding DNS query: 174.37.25.112
Source: unknown	TCP traffic detected without corresponding DNS query: 155.112.238.0
Source: unknown	TCP traffic detected without corresponding DNS query: 38.198.113.148
Source: unknown	TCP traffic detected without corresponding DNS query: 86.184.2.247
Source: unknown	TCP traffic detected without corresponding DNS query: 82.74.127.37
Source: unknown	TCP traffic detected without corresponding DNS query: 106.95.82.87
Source: unknown	TCP traffic detected without corresponding DNS query: 82.159.78.152
Source: unknown	TCP traffic detected without corresponding DNS query: 48.25.188.163
Source: unknown	TCP traffic detected without corresponding DNS query: 194.78.224.129
Source: unknown	TCP traffic detected without corresponding DNS query: 145.11.7.98
Source: unknown	TCP traffic detected without corresponding DNS query: 36.164.103.147
Source: unknown	TCP traffic detected without corresponding DNS query: 18.160.42.126
Source: unknown	TCP traffic detected without corresponding DNS query: 75.134.118.42
Source: unknown	TCP traffic detected without corresponding DNS query: 80.68.229.38
Source: unknown	TCP traffic detected without corresponding DNS query: 207.85.65.225
Source: unknown	TCP traffic detected without corresponding DNS query: 184.84.252.243
Source: unknown	TCP traffic detected without corresponding DNS query: 70.224.215.167
Source: unknown	TCP traffic detected without corresponding DNS query: 48.22.47.40
Source: unknown	TCP traffic detected without corresponding DNS query: 75.91.72.202
Source: unknown	TCP traffic detected without corresponding DNS query: 95.197.174.237
Source: unknown	TCP traffic detected without corresponding DNS query: 12.60.239.205
Source: unknown	TCP traffic detected without corresponding DNS query: 119.160.44.82
Source: unknown	TCP traffic detected without corresponding DNS query: 146.254.139.189

Source: SedZv73LJb

String found in binary or memory: http://upx.sf.net

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Yara signature match

Source: SedZv73LJb, type: SAMPLE	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: 5218.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5226.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5216.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5220.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Sample tries to kill a process (SIGKILL)

Source: /tmp/SedZv73LJb (PID: 5218)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	SIGKILL sent: pid: 5218, result: successful	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	SIGKILL sent: pid: 759, result: successful	Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.lin@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4450/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4450/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4331/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/4331/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/5030/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/5030/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2038/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1586/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1465/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1344/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1860/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1860/exe	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1463/fd	Jump to behavior
Source: /tmp/SedZv73LJb (PID: 5224)	File opened: /proc/1463/exe	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5258)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FfRdbVixpI /tmp/tmp.30Eql1npMD /tmp/tmp.8ub6rio7wF

Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SedZv73LJb (PID: 5216)

Queries kernel information via 'uname':

Jump to behavior

Source: SedZv73LJb, 5216.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5218.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5220.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5226.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp	Binary or memory string: Mx86_64/usr/bin/qemu-mipsel/tmp/SedZv73LJbSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SedZv73LJb
Source: SedZv73LJb, 5216.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5218.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5220.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5226.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: SedZv73LJb, 5216.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5218.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5220.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5226.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: SedZv73LJb, 5216.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5218.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5220.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5226.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	537271
Product:	CloudBasic
Start time:	17:04:18
Start date:	09.12.2021
Sample:	SedZv73LJb
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	bdc02fe5c4e820cc750d4b5b7280f2cd
SHA1:	d49ff96bbfbd990ffdb4727a809b97eb05bf1c2a
SHA256:	a06645dcacd00b2ffa5db96729241c355e012fa87a2ef16d595a4bac7a7dcd10
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report SedZv73LJb

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs