Linux Analysis Report s7vKdnDi77

Overview

General Information

Sample Name:	s7vKdnDi77
Analysis ID:	553138
MD5:	c7004f16f15c92e4acd0d78825329a56
SHA1:	08759270368ad69eab73219cc032a3dca620f1da
SHA256:	1ed43a0a7805aff1bae9db3a9cdd0a45ceb3fbd18f84ce7d8cf0c4d49d918838
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Contains symbols with names commonly found in malware

Yara signature match

Sample contains strings indicative of password brute-forcing capabilities

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: s7vKdnDi77	Virustotal: Detection: 59%	Perma Link
Source: s7vKdnDi77	Metadefender: Detection: 37%	Perma Link
Source: s7vKdnDi77	ReversingLabs: Detection: 62%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 115.53.244.14:23 -> 192.168.2.23:36440
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 115.53.244.14:23 -> 192.168.2.23:36440
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46044
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46044
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46142
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46142
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.142.76.198:23 -> 192.168.2.23:55886
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46316
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.64.214.57:23 -> 192.168.2.23:42890
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.204.52.1:23 -> 192.168.2.23:50546
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46316
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.204.52.1:23 -> 192.168.2.23:50614
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46514
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.112.186.138:23 -> 192.168.2.23:46566
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.112.186.138:23 -> 192.168.2.23:46566
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46514
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46576
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37258
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37258
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46648
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 115.53.244.14:23 -> 192.168.2.23:37106
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 115.53.244.14:23 -> 192.168.2.23:37106
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46648
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37406
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.142.76.198:23 -> 192.168.2.23:56418
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37406
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37406
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.64.214.57:23 -> 192.168.2.23:43350
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51320
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46890
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51372
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46890
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37618
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47016
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51484
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37618
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37618
Source: Traffic	Snort IDS: 2023447 ET TROJAN Possible Linux.Mirai Login Attempt (service) 192.168.2.23:47112 -> 209.112.186.138:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47016
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51566
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.112.186.138:23 -> 192.168.2.23:47112
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.112.186.138:23 -> 192.168.2.23:47112
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51594
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39608
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47174
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.89.185.158:23 -> 192.168.2.23:34988
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51666
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37900
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39696
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47174
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:33940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:33940
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51778
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39814
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37900
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37900
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39910
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:43664
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51910
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47378
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51922
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.142.76.198:23 -> 192.168.2.23:57122
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51942
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.64.214.57:23 -> 192.168.2.23:44060
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47526
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:34226
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:34226
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39986
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:38196
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47526
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40030
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:43800
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:38196
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:38196
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47608
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40076
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:59948
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47608
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:34378
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:34378
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40174
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:38384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:43934
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47738
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60044
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60064
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36852
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36894
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:38384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:38384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47738
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40282
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36920
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36924
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.89.185.158:23 -> 192.168.2.23:35626
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36942
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36950
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36954
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36978
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36982
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36986
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.112.186.138:23 -> 192.168.2.23:47896
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.112.186.138:23 -> 192.168.2.23:47896
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36984
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60214
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37006
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37010
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37014
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37020
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47942
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:44138
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37042
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37048
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37050
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40426
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37058
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:34630
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:34630
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37086
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37092
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37098
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37106
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37134
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37146
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60372
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37160
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37168
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.115.163.194:23 -> 192.168.2.23:34782
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47942
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 221.155.33.194:23 -> 192.168.2.23:57538
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 221.155.33.194:23 -> 192.168.2.23:57538
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37194
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37200
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37210
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60434
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37216
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:38810
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40618
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37250
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37260
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37266
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37270
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37290
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37296
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37298
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37304
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:48230
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60516
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37322
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37328
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.115.163.194:23 -> 192.168.2.23:34782

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35398
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35430
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35446
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35450
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57434
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57580
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57816

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:39428 -> 109.237.96.10:16771

Sample listens on a socket

Source: /tmp/s7vKdnDi77 (PID: 5240)

Socket: 127.0.0.1::9473

Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.237.96.10
Source: unknown	TCP traffic detected without corresponding DNS query: 179.152.52.55
Source: unknown	TCP traffic detected without corresponding DNS query: 83.2.90.160
Source: unknown	TCP traffic detected without corresponding DNS query: 152.152.127.54
Source: unknown	TCP traffic detected without corresponding DNS query: 220.115.20.26
Source: unknown	TCP traffic detected without corresponding DNS query: 128.99.42.49
Source: unknown	TCP traffic detected without corresponding DNS query: 165.47.168.40
Source: unknown	TCP traffic detected without corresponding DNS query: 222.77.217.211
Source: unknown	TCP traffic detected without corresponding DNS query: 153.84.214.109
Source: unknown	TCP traffic detected without corresponding DNS query: 108.191.9.10
Source: unknown	TCP traffic detected without corresponding DNS query: 183.161.149.26
Source: unknown	TCP traffic detected without corresponding DNS query: 126.85.218.158
Source: unknown	TCP traffic detected without corresponding DNS query: 148.168.95.159
Source: unknown	TCP traffic detected without corresponding DNS query: 180.42.181.127
Source: unknown	TCP traffic detected without corresponding DNS query: 40.63.80.3
Source: unknown	TCP traffic detected without corresponding DNS query: 95.53.136.208
Source: unknown	TCP traffic detected without corresponding DNS query: 35.197.189.106
Source: unknown	TCP traffic detected without corresponding DNS query: 146.253.81.113
Source: unknown	TCP traffic detected without corresponding DNS query: 199.52.99.108
Source: unknown	TCP traffic detected without corresponding DNS query: 92.185.158.253
Source: unknown	TCP traffic detected without corresponding DNS query: 102.242.177.197
Source: unknown	TCP traffic detected without corresponding DNS query: 207.235.142.149
Source: unknown	TCP traffic detected without corresponding DNS query: 17.76.13.215
Source: unknown	TCP traffic detected without corresponding DNS query: 187.169.23.117
Source: unknown	TCP traffic detected without corresponding DNS query: 211.155.176.161
Source: unknown	TCP traffic detected without corresponding DNS query: 164.96.72.64
Source: unknown	TCP traffic detected without corresponding DNS query: 211.181.176.110
Source: unknown	TCP traffic detected without corresponding DNS query: 118.205.227.152
Source: unknown	TCP traffic detected without corresponding DNS query: 206.211.49.208
Source: unknown	TCP traffic detected without corresponding DNS query: 157.22.237.202
Source: unknown	TCP traffic detected without corresponding DNS query: 113.227.19.160
Source: unknown	TCP traffic detected without corresponding DNS query: 152.88.182.158
Source: unknown	TCP traffic detected without corresponding DNS query: 139.151.39.235
Source: unknown	TCP traffic detected without corresponding DNS query: 1.204.61.234
Source: unknown	TCP traffic detected without corresponding DNS query: 223.70.146.149
Source: unknown	TCP traffic detected without corresponding DNS query: 73.66.22.178
Source: unknown	TCP traffic detected without corresponding DNS query: 24.184.140.0
Source: unknown	TCP traffic detected without corresponding DNS query: 104.7.129.78
Source: unknown	TCP traffic detected without corresponding DNS query: 194.216.87.166
Source: unknown	TCP traffic detected without corresponding DNS query: 63.185.220.145
Source: unknown	TCP traffic detected without corresponding DNS query: 216.225.5.196
Source: unknown	TCP traffic detected without corresponding DNS query: 187.71.94.135
Source: unknown	TCP traffic detected without corresponding DNS query: 222.38.0.160
Source: unknown	TCP traffic detected without corresponding DNS query: 101.19.252.3
Source: unknown	TCP traffic detected without corresponding DNS query: 148.229.20.43
Source: unknown	TCP traffic detected without corresponding DNS query: 179.84.203.140
Source: unknown	TCP traffic detected without corresponding DNS query: 87.1.115.98
Source: unknown	TCP traffic detected without corresponding DNS query: 75.218.47.46
Source: unknown	TCP traffic detected without corresponding DNS query: 137.138.184.242
Source: unknown	TCP traffic detected without corresponding DNS query: 152.18.190.84

System Summary:

Malicious sample detected (through community Yara rule)

Source: s7vKdnDi77, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app.c
Source: ELF static info symbol of initial sample	Name: attack_app_http
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method.c
Source: ELF static info symbol of initial sample	Name: attack_method_ack
Source: ELF static info symbol of initial sample	Name: attack_method_gre

Yara signature match

Source: s7vKdnDi77, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: s7vKdnDi77, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5240.1.0000000063017c71.000000008031ab92.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.0000000063017c71.000000008031ab92.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: Process Memory Space: s7vKdnDi77 PID: 5240, type: MEMORYSTR	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: Process Memory Space: s7vKdnDi77 PID: 5246, type: MEMORYSTR	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: admin1234
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: 12345678

Source: classification engine

Classification label: mal96.troj.lin@0/0@0/0

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35398
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35430
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35446
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35450
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57434
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57580
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57816

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/s7vKdnDi77 (PID: 5240)

Queries kernel information via 'uname':

Jump to behavior

Source: s7vKdnDi77, 5240.1.00000000b6b1ac15.00000000185438df.rw-.sdmp, s7vKdnDi77, 5246.1.00000000b6b1ac15.00000000cef7dc57.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: s7vKdnDi77, 5240.1.00000000b6b1ac15.00000000185438df.rw-.sdmp, s7vKdnDi77, 5246.1.00000000b6b1ac15.00000000cef7dc57.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: s7vKdnDi77, 5240.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp, s7vKdnDi77, 5246.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: s7vKdnDi77, 5240.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp, s7vKdnDi77, 5246.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/s7vKdnDi77SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/s7vKdnDi77

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: s7vKdnDi77, type: SAMPLE
Source: Yara match	File source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: s7vKdnDi77, type: SAMPLE
Source: Yara match	File source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
204.27.217.172	unknown	United States	18682	AAMU-INTERNETUS	false
135.32.10.197	unknown	United States	54614	CIKTELECOM-CABLECA	false
190.214.138.57	unknown	Ecuador	28006	CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC	false
45.50.54.71	unknown	United States	20001	TWC-20001-PACWESTUS	false
187.18.188.123	unknown	Brazil	28270	VideomarRedeNordesteSABR	false
46.204.222.241	unknown	Poland	12912	TMPL	false
85.136.26.166	unknown	Spain	12357	COMUNITELSPAINES	false
194.0.84.190	unknown	Croatia (LOCAL Name: Hrvatska)	28862	INA-HR-ASHR	false
42.23.111.98	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
179.30.41.166	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
183.59.101.253	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
62.212.42.29	unknown	Georgia	34797	SYSTEM-NETGE	false
66.238.150.209	unknown	United States	2828	XO-AS15US	false
186.198.141.191	unknown	Brazil	26615	TIMSABR	false
114.53.185.89	unknown	Korea Republic of	18302	SKG_NW-AS-KRSKTelecomKR	false
110.11.240.214	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
168.197.111.122	unknown	Sint Maarten	27781	SMITCOMSNVSX	false
41.60.37.74	unknown	Mauritius	30969	ZOL-ASGB	false
19.113.76.30	unknown	United States	3	MIT-GATEWAYSUS	false
162.144.165.123	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
133.199.204.240	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
71.52.220.73	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
74.200.43.113	unknown	United States	14010	JACKHENRYUS	false
105.239.2.105	unknown	Sudan	36998	SDN-MOBITELSD	false
164.147.60.211	unknown	South Africa	37130	SITA-ASZA	false
35.41.112.192	unknown	United States	36375	UMICH-AS-5US	false
149.224.54.91	unknown	Germany	15943	WTNET-ASwilhelmtelGmbHDE	false
90.216.232.241	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
68.244.123.135	unknown	United States	10507	SPCSUS	false
53.249.211.64	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
87.198.165.182	unknown	Ireland	34245	MAGNET-ASIE	false
147.29.88.207	unknown	Denmark	5624	DXCTechnologyDK	false
23.28.227.136	unknown	United States	12083	WOW-INTERNETUS	false
64.216.75.5	unknown	United States	7018	ATT-INTERNET4US	false
8.17.40.162	unknown	United States	23089	HOTWIRE-COMMUNICATIONSUS	false
155.244.100.186	unknown	United States	668	DNIC-AS-00668US	false
196.14.61.84	unknown	South Africa	3741	ISZA	false
20.192.81.234	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.220.180.144	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
14.244.110.225	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
115.45.252.11	unknown	China	17962	TOPWAY-NETShenZhenTopwayVideoCommunicationCoLtdCN	false
194.61.106.8	unknown	Luxembourg	21155	ASN-PROSERVEAmsterdamNL	false
161.30.249.20	unknown	United Kingdom	31515	INMARSATGB	false
97.78.53.125	unknown	United States	33363	BHN-33363US	false
2.73.205.136	unknown	Kazakhstan	29355	KCELL-ASKZ	false
151.231.128.231	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
94.35.200.82	unknown	Italy	8612	TISCALI-IT	false
43.116.224.15	unknown	Japan	4249	LILLY-ASUS	false
213.197.169.156	unknown	Lithuania	15440	BALTNETACustomersASLT	false
110.159.18.253	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
89.55.185.212	unknown	Germany	5430	FREENETDEfreenetDatenkommunikationsGmbHDE	false
86.122.212.89	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
62.206.208.159	unknown	Germany	20676	PLUSNETDE	false
206.90.168.39	unknown	United States	3549	LVLT-3549US	false
114.190.66.65	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
171.37.201.41	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
206.234.73.102	unknown	United States	174	COGENT-174US	false
17.115.203.104	unknown	United States	714	APPLE-ENGINEERINGUS	false
200.115.155.162	unknown	Panama	21599	CableOndaPA	false
164.184.8.118	unknown	United States	37717	EL-KhawarizmiTN	false
43.189.160.67	unknown	Japan	4249	LILLY-ASUS	false
65.161.32.126	unknown	United States	1239	SPRINTLINKUS	false
182.248.10.121	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
45.75.247.63	unknown	United Kingdom	49425	DIGITAL-REALTY-UKGB	false
139.162.198.100	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
20.197.35.159	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
9.226.52.184	unknown	United States	3356	LEVEL3US	false
160.115.102.54	unknown	South Africa	6711	HUNGARNET-SZEGEDSzegedUniversityAssociationandHU	false
13.27.46.121	unknown	United States	26662	XEROX-WVUS	false
24.1.63.121	unknown	United States	7922	COMCAST-7922US	false
143.118.4.154	unknown	Sweden	1881	FMVSE	false
57.255.10.200	unknown	Belgium	2686	ATGS-MMD-ASUS	false
89.70.205.186	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
187.117.54.244	unknown	Brazil	26599	TELEFONICABRASILSABR	false
164.171.204.250	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
166.73.67.203	unknown	United States	6318	CHECKFREEUS	false
142.254.167.45	unknown	United States	12271	TWC-12271-NYCUS	false
183.54.199.129	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
197.228.244.196	unknown	South Africa	37251	TELKOMMOBILEZA	false
94.56.115.42	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
131.143.147.98	unknown	United States	1742	HARVARD-UNIVUS	false
131.127.5.215	unknown	United States	668	DNIC-AS-00668US	false
94.110.83.77	unknown	Belgium	47377	ORANGE_BELGIUM_SAKPNBelgiumBusinessNVhasbeenacquired	false
39.215.102.196	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
144.246.29.224	unknown	United States	1477	DNIC-ASBLK-01474-01477US	false
2.196.140.242	unknown	Italy	16232	ASN-TIMServiceProviderIT	false
138.209.172.72	unknown	United States	21727	HAMLINE-EDUUS	false
142.184.216.13	unknown	Canada	577	BACOMCA	false
188.103.181.58	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
213.73.12.176	unknown	Poland	21064	OLMAN-COM-ASOLMANMetropolitanAreaNetworkcommercialAS	false
66.159.117.247	unknown	Canada	5690	VIANET-NOCA	false
88.252.86.135	unknown	Turkey	9121	TTNETTR	false
179.247.8.25	unknown	Brazil	26599	TELEFONICABRASILSABR	false
176.8.233.93	unknown	Ukraine	15895	KSNET-ASUA	false
140.89.210.143	unknown	United States	33651	CMCSUS	false
216.18.233.102	unknown	United States	33569	ALLHOSTSHOPUS	false
58.222.142.125	unknown	China	137697	CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZ	false
170.73.136.1	unknown	United States	16761	FEDMOG-ASN-01US	false
182.37.50.95	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
155.159.23.90	unknown	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: s7vKdnDi77	Virustotal: Detection: 59%	Perma Link
Source: s7vKdnDi77	Metadefender: Detection: 37%	Perma Link
Source: s7vKdnDi77	ReversingLabs: Detection: 62%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 115.53.244.14:23 -> 192.168.2.23:36440
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 115.53.244.14:23 -> 192.168.2.23:36440
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46044
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46044
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46142
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46142
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.142.76.198:23 -> 192.168.2.23:55886
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46316
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.64.214.57:23 -> 192.168.2.23:42890
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.204.52.1:23 -> 192.168.2.23:50546
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46316
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.204.52.1:23 -> 192.168.2.23:50614
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46514
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37104
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.112.186.138:23 -> 192.168.2.23:46566
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.112.186.138:23 -> 192.168.2.23:46566
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46514
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46576
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37258
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37258
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46648
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 115.53.244.14:23 -> 192.168.2.23:37106
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 115.53.244.14:23 -> 192.168.2.23:37106
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46648
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37406
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.142.76.198:23 -> 192.168.2.23:56418
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37406
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37406
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.64.214.57:23 -> 192.168.2.23:43350
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51320
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:46890
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51372
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:46890
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37618
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47016
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51484
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37618
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37618
Source: Traffic	Snort IDS: 2023447 ET TROJAN Possible Linux.Mirai Login Attempt (service) 192.168.2.23:47112 -> 209.112.186.138:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47016
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51566
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.112.186.138:23 -> 192.168.2.23:47112
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.112.186.138:23 -> 192.168.2.23:47112
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51594
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39608
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47174
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.89.185.158:23 -> 192.168.2.23:34988
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51666
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:37900
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39696
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47174
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:33940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:33940
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51778
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39814
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:37900
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:37900
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39910
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:43664
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51910
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47378
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51922
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.142.76.198:23 -> 192.168.2.23:57122
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.6.252.2:23 -> 192.168.2.23:51942
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.64.214.57:23 -> 192.168.2.23:44060
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47526
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:34226
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:34226
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:39986
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:38196
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47526
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40030
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:43800
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:38196
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:38196
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47608
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40076
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:59948
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47608
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:34378
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:34378
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40174
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:38384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:43934
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47738
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60044
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60064
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36852
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36894
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.81.24.52:23 -> 192.168.2.23:38384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.81.24.52:23 -> 192.168.2.23:38384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47738
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40282
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36920
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36924
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.89.185.158:23 -> 192.168.2.23:35626
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36942
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36950
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36954
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36978
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36982
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36986
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.112.186.138:23 -> 192.168.2.23:47896
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.112.186.138:23 -> 192.168.2.23:47896
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:36984
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60214
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37006
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37010
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37014
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37020
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:47942
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.199.8.158:23 -> 192.168.2.23:44138
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37042
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37048
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37050
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40426
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37058
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.162.89.134:23 -> 192.168.2.23:34630
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.162.89.134:23 -> 192.168.2.23:34630
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37086
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37092
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37098
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37106
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37134
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37146
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60372
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37160
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37168
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.115.163.194:23 -> 192.168.2.23:34782
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 116.55.54.117:23 -> 192.168.2.23:47942
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 221.155.33.194:23 -> 192.168.2.23:57538
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 221.155.33.194:23 -> 192.168.2.23:57538
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37194
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37200
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37210
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60434
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37216
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.81.24.52:23 -> 192.168.2.23:38810
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.28.175.187:23 -> 192.168.2.23:40618
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37250
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37260
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37266
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37270
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37290
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37296
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37298
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37304
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.55.54.117:23 -> 192.168.2.23:48230
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.61.14.255:23 -> 192.168.2.23:60516
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37322
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.155.84.89:23 -> 192.168.2.23:37328
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.115.163.194:23 -> 192.168.2.23:34782

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35398
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35430
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35446
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35450
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57434
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57580
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57816

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:39428 -> 109.237.96.10:16771

Sample listens on a socket

Source: /tmp/s7vKdnDi77 (PID: 5240)

Socket: 127.0.0.1::9473

Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.237.96.10
Source: unknown	TCP traffic detected without corresponding DNS query: 179.152.52.55
Source: unknown	TCP traffic detected without corresponding DNS query: 83.2.90.160
Source: unknown	TCP traffic detected without corresponding DNS query: 152.152.127.54
Source: unknown	TCP traffic detected without corresponding DNS query: 220.115.20.26
Source: unknown	TCP traffic detected without corresponding DNS query: 128.99.42.49
Source: unknown	TCP traffic detected without corresponding DNS query: 165.47.168.40
Source: unknown	TCP traffic detected without corresponding DNS query: 222.77.217.211
Source: unknown	TCP traffic detected without corresponding DNS query: 153.84.214.109
Source: unknown	TCP traffic detected without corresponding DNS query: 108.191.9.10
Source: unknown	TCP traffic detected without corresponding DNS query: 183.161.149.26
Source: unknown	TCP traffic detected without corresponding DNS query: 126.85.218.158
Source: unknown	TCP traffic detected without corresponding DNS query: 148.168.95.159
Source: unknown	TCP traffic detected without corresponding DNS query: 180.42.181.127
Source: unknown	TCP traffic detected without corresponding DNS query: 40.63.80.3
Source: unknown	TCP traffic detected without corresponding DNS query: 95.53.136.208
Source: unknown	TCP traffic detected without corresponding DNS query: 35.197.189.106
Source: unknown	TCP traffic detected without corresponding DNS query: 146.253.81.113
Source: unknown	TCP traffic detected without corresponding DNS query: 199.52.99.108
Source: unknown	TCP traffic detected without corresponding DNS query: 92.185.158.253
Source: unknown	TCP traffic detected without corresponding DNS query: 102.242.177.197
Source: unknown	TCP traffic detected without corresponding DNS query: 207.235.142.149
Source: unknown	TCP traffic detected without corresponding DNS query: 17.76.13.215
Source: unknown	TCP traffic detected without corresponding DNS query: 187.169.23.117
Source: unknown	TCP traffic detected without corresponding DNS query: 211.155.176.161
Source: unknown	TCP traffic detected without corresponding DNS query: 164.96.72.64
Source: unknown	TCP traffic detected without corresponding DNS query: 211.181.176.110
Source: unknown	TCP traffic detected without corresponding DNS query: 118.205.227.152
Source: unknown	TCP traffic detected without corresponding DNS query: 206.211.49.208
Source: unknown	TCP traffic detected without corresponding DNS query: 157.22.237.202
Source: unknown	TCP traffic detected without corresponding DNS query: 113.227.19.160
Source: unknown	TCP traffic detected without corresponding DNS query: 152.88.182.158
Source: unknown	TCP traffic detected without corresponding DNS query: 139.151.39.235
Source: unknown	TCP traffic detected without corresponding DNS query: 1.204.61.234
Source: unknown	TCP traffic detected without corresponding DNS query: 223.70.146.149
Source: unknown	TCP traffic detected without corresponding DNS query: 73.66.22.178
Source: unknown	TCP traffic detected without corresponding DNS query: 24.184.140.0
Source: unknown	TCP traffic detected without corresponding DNS query: 104.7.129.78
Source: unknown	TCP traffic detected without corresponding DNS query: 194.216.87.166
Source: unknown	TCP traffic detected without corresponding DNS query: 63.185.220.145
Source: unknown	TCP traffic detected without corresponding DNS query: 216.225.5.196
Source: unknown	TCP traffic detected without corresponding DNS query: 187.71.94.135
Source: unknown	TCP traffic detected without corresponding DNS query: 222.38.0.160
Source: unknown	TCP traffic detected without corresponding DNS query: 101.19.252.3
Source: unknown	TCP traffic detected without corresponding DNS query: 148.229.20.43
Source: unknown	TCP traffic detected without corresponding DNS query: 179.84.203.140
Source: unknown	TCP traffic detected without corresponding DNS query: 87.1.115.98
Source: unknown	TCP traffic detected without corresponding DNS query: 75.218.47.46
Source: unknown	TCP traffic detected without corresponding DNS query: 137.138.184.242
Source: unknown	TCP traffic detected without corresponding DNS query: 152.18.190.84

System Summary:

Malicious sample detected (through community Yara rule)

Source: s7vKdnDi77, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app.c
Source: ELF static info symbol of initial sample	Name: attack_app_http
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method.c
Source: ELF static info symbol of initial sample	Name: attack_method_ack
Source: ELF static info symbol of initial sample	Name: attack_method_gre

Yara signature match

Source: s7vKdnDi77, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: s7vKdnDi77, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5240.1.0000000063017c71.000000008031ab92.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.0000000063017c71.000000008031ab92.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: Process Memory Space: s7vKdnDi77 PID: 5240, type: MEMORYSTR	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: Process Memory Space: s7vKdnDi77 PID: 5246, type: MEMORYSTR	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: admin1234
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: 12345678

Source: classification engine

Classification label: mal96.troj.lin@0/0@0/0

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35398
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35430
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35446
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35450
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57434
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57442
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57580
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57668
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57742
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57760
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57816

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/s7vKdnDi77 (PID: 5240)

Queries kernel information via 'uname':

Jump to behavior

Source: s7vKdnDi77, 5240.1.00000000b6b1ac15.00000000185438df.rw-.sdmp, s7vKdnDi77, 5246.1.00000000b6b1ac15.00000000cef7dc57.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: s7vKdnDi77, 5240.1.00000000b6b1ac15.00000000185438df.rw-.sdmp, s7vKdnDi77, 5246.1.00000000b6b1ac15.00000000cef7dc57.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: s7vKdnDi77, 5240.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp, s7vKdnDi77, 5246.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: s7vKdnDi77, 5240.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp, s7vKdnDi77, 5246.1.00000000c2533b13.00000000a1dd4886.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/s7vKdnDi77SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/s7vKdnDi77

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: s7vKdnDi77, type: SAMPLE
Source: Yara match	File source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: s7vKdnDi77, type: SAMPLE
Source: Yara match	File source: 5240.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5246.1.0000000050b0cb91.00000000265421ed.r-x.sdmp, type: MEMORY

ID:	553138
Product:	CloudBasic
Start time:	11:24:23
Start date:	14.01.2022
Sample:	s7vKdnDi77
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	c7004f16f15c92e4acd0d78825329a56
SHA1:	08759270368ad69eab73219cc032a3dca620f1da
SHA256:	1ed43a0a7805aff1bae9db3a9cdd0a45ceb3fbd18f84ce7d8cf0c4d49d918838
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report s7vKdnDi77

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs