Play interactive tour

Edit tour

Linux Analysis Report x86

Overview

General Information

Sample Name:	x86
Analysis ID:	553313
MD5:	7a4f14429f8c54d68656cfafc8528a34
SHA1:	d892fbd509b99745ee003ed803bc582b9b190ce9
SHA256:	146bbed5eaaf63f99842e41f64ac4771c3622ff9f6db8712a89a0731d4ec6a95
Tags:	elf
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Yara signature match

Sample has stripped symbol table

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553313
Start date:	14.01.2022
Start time:	16:48:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	x86
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.troj.lin@0/1@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5207, Parent: 4331)

cat (PID: 5207, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.jjJ0hUD84m

dash New Fork (PID: 5208, Parent: 4331)

head (PID: 5208, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5209, Parent: 4331)

tr (PID: 5209, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5210, Parent: 4331)

cut (PID: 5210, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5211, Parent: 4331)

cat (PID: 5211, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.jjJ0hUD84m

dash New Fork (PID: 5212, Parent: 4331)

head (PID: 5212, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5213, Parent: 4331)

tr (PID: 5213, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5214, Parent: 4331)

cut (PID: 5214, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5217, Parent: 4331)

rm (PID: 5217, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.jjJ0hUD84m /tmp/tmp.W8UIKPggkC /tmp/tmp.KmcGhooTuj

x86 (PID: 5244, Parent: 5129, MD5: 7a4f14429f8c54d68656cfafc8528a34) Arguments: /tmp/x86

x86 New Fork (PID: 5245, Parent: 5244)

x86 New Fork (PID: 5246, Parent: 5244)

x86 New Fork (PID: 5247, Parent: 5244)

x86 New Fork (PID: 5248, Parent: 5247)

x86 New Fork (PID: 5249, Parent: 5247)

x86 New Fork (PID: 5250, Parent: 5247)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
x86	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xefc4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf034:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf0a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf114:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf184:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf3f4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf448:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf49c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf4f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf544:$xo1: oMXKNNC\x0D\x17\x0C\x12
x86	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xe9e0:$x1: POST /cdn-cgi/ 0xee2b:$s1: LCOGQGPTGP
x86	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5249.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
5245.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
5246.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
5244.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xefc4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf034:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf0a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf114:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf184:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf3f4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf448:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf49c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf4f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf544:$xo1: oMXKNNC\x0D\x17\x0C\x12
5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xe9e0:$x1: POST /cdn-cgi/ 0xee2b:$s1: LCOGQGPTGP
5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xefc4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf034:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf0a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf114:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf184:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf3f4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf448:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf49c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf4f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf544:$xo1: oMXKNNC\x0D\x17\x0C\x12
5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xe9e0:$x1: POST /cdn-cgi/ 0xee2b:$s1: LCOGQGPTGP
5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xefc4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf034:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf0a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf114:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf184:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf3f4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf448:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf49c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf4f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf544:$xo1: oMXKNNC\x0D\x17\x0C\x12
5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xe9e0:$x1: POST /cdn-cgi/ 0xee2b:$s1: LCOGQGPTGP
5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xefc4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf034:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf0a4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf114:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf184:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf3f4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf448:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf49c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf4f0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0xf544:$xo1: oMXKNNC\x0D\x17\x0C\x12
5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xe9e0:$x1: POST /cdn-cgi/ 0xee2b:$s1: LCOGQGPTGP
5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Click to see the 11 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: x86	Virustotal: Detection: 58%			Perma Link
Source: x86	ReversingLabs: Detection: 62%

Machine Learning detection for sample

Show sources

Source: x86

Joe Sandbox ML: detected

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 716 INFO TELNET access 185.190.45.22:23 -> 192.168.2.23:38984
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56264
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56288
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56338
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.190.45.22:23 -> 192.168.2.23:39066
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56352
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56368
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56388
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.190.45.22:23 -> 192.168.2.23:39116
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.84.112.153:23 -> 192.168.2.23:35498
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.84.112.153:23 -> 192.168.2.23:35498
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56402
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56408
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56448
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.190.45.22:23 -> 192.168.2.23:39188
Source: Traffic	Snort IDS: 716 INFO TELNET access 116.214.36.17:23 -> 192.168.2.23:56472

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:45900 -> 107.189.12.189:1791

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 107.189.12.189
Source: unknown	TCP traffic detected without corresponding DNS query: 243.37.169.55
Source: unknown	TCP traffic detected without corresponding DNS query: 35.136.197.55
Source: unknown	TCP traffic detected without corresponding DNS query: 89.212.117.85
Source: unknown	TCP traffic detected without corresponding DNS query: 251.241.205.121
Source: unknown	TCP traffic detected without corresponding DNS query: 250.157.118.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.122.69.132
Source: unknown	TCP traffic detected without corresponding DNS query: 24.87.252.192
Source: unknown	TCP traffic detected without corresponding DNS query: 198.219.62.200
Source: unknown	TCP traffic detected without corresponding DNS query: 202.222.25.214
Source: unknown	TCP traffic detected without corresponding DNS query: 183.23.73.201
Source: unknown	TCP traffic detected without corresponding DNS query: 165.207.214.42
Source: unknown	TCP traffic detected without corresponding DNS query: 119.79.202.102
Source: unknown	TCP traffic detected without corresponding DNS query: 48.75.93.136
Source: unknown	TCP traffic detected without corresponding DNS query: 197.34.228.50
Source: unknown	TCP traffic detected without corresponding DNS query: 191.20.42.9
Source: unknown	TCP traffic detected without corresponding DNS query: 161.87.247.228
Source: unknown	TCP traffic detected without corresponding DNS query: 107.227.7.215
Source: unknown	TCP traffic detected without corresponding DNS query: 203.114.238.6
Source: unknown	TCP traffic detected without corresponding DNS query: 164.142.229.195
Source: unknown	TCP traffic detected without corresponding DNS query: 119.162.103.213
Source: unknown	TCP traffic detected without corresponding DNS query: 191.8.159.234
Source: unknown	TCP traffic detected without corresponding DNS query: 109.22.115.235
Source: unknown	TCP traffic detected without corresponding DNS query: 135.138.75.14
Source: unknown	TCP traffic detected without corresponding DNS query: 60.232.21.233
Source: unknown	TCP traffic detected without corresponding DNS query: 254.170.80.221
Source: unknown	TCP traffic detected without corresponding DNS query: 4.135.61.101
Source: unknown	TCP traffic detected without corresponding DNS query: 174.126.40.176
Source: unknown	TCP traffic detected without corresponding DNS query: 42.24.90.226
Source: unknown	TCP traffic detected without corresponding DNS query: 81.165.92.42
Source: unknown	TCP traffic detected without corresponding DNS query: 78.222.25.18
Source: unknown	TCP traffic detected without corresponding DNS query: 184.201.199.67
Source: unknown	TCP traffic detected without corresponding DNS query: 69.251.93.46
Source: unknown	TCP traffic detected without corresponding DNS query: 142.122.144.133
Source: unknown	TCP traffic detected without corresponding DNS query: 182.178.24.227
Source: unknown	TCP traffic detected without corresponding DNS query: 88.24.163.118
Source: unknown	TCP traffic detected without corresponding DNS query: 150.170.142.115
Source: unknown	TCP traffic detected without corresponding DNS query: 101.247.37.89
Source: unknown	TCP traffic detected without corresponding DNS query: 84.234.37.29
Source: unknown	TCP traffic detected without corresponding DNS query: 190.146.146.14
Source: unknown	TCP traffic detected without corresponding DNS query: 144.3.114.9
Source: unknown	TCP traffic detected without corresponding DNS query: 90.16.177.238
Source: unknown	TCP traffic detected without corresponding DNS query: 196.82.139.146
Source: unknown	TCP traffic detected without corresponding DNS query: 27.181.160.181
Source: unknown	TCP traffic detected without corresponding DNS query: 165.201.208.107
Source: unknown	TCP traffic detected without corresponding DNS query: 126.20.91.40
Source: unknown	TCP traffic detected without corresponding DNS query: 213.76.55.61
Source: unknown	TCP traffic detected without corresponding DNS query: 106.165.195.45
Source: unknown	TCP traffic detected without corresponding DNS query: 45.209.44.157
Source: unknown	TCP traffic detected without corresponding DNS query: 31.252.239.67

Source: motd-news.17.dr

String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: x86, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth

Source: x86, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: x86, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5249.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5245.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5244.1.00000000df678f20.00000000de9fc6d2.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/x86 (PID: 5245)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/x86 (PID: 5248)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/x86 (PID: 5248)	SIGKILL sent: pid: 5245, result: successful
Source: /tmp/x86 (PID: 5248)	SIGKILL sent: pid: 759, result: successful

Source: classification engine

Classification label: mal76.troj.lin@0/1@0/0

Source: /tmp/x86 (PID: 5245)	File opened: /proc/491/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/793/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/772/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/796/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/774/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/797/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/777/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/799/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/658/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/912/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/759/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/936/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/918/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/1/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/761/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/785/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/884/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/720/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/721/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/788/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/789/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/800/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/801/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/847/fd
Source: /tmp/x86 (PID: 5245)	File opened: /proc/904/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2033/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2033/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1582/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1582/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2275/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1612/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1612/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1579/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1579/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1699/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1699/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1335/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1335/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1698/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1698/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2028/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2028/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1334/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1334/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1576/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1576/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2302/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/3236/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2025/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2025/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2146/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2146/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/910/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/912/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/912/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/912/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/759/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/759/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/759/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/517/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2307/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/918/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/918/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/918/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1594/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1594/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2285/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2281/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1349/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1349/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1623/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1623/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/761/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/761/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/761/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1622/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1622/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/884/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/884/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/884/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1983/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1983/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2038/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2038/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1586/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1586/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1465/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1465/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1344/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1344/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1860/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1860/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1463/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1463/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/2156/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/800/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/800/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/800/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/801/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/801/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/801/exe
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1629/fd
Source: /tmp/x86 (PID: 5248)	File opened: /proc/1629/exe

Source: /usr/bin/dash (PID: 5217)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.jjJ0hUD84m /tmp/tmp.W8UIKPggkC /tmp/tmp.KmcGhooTuj

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match	File source: x86, type: SAMPLE
Source: Yara match	File source: 5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match	File source: x86, type: SAMPLE
Source: Yara match	File source: 5244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5246.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5245.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5249.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	File Deletion1	OS Credential Dumping1	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86	58%	Virustotal		Browse
x86	63%	ReversingLabs	Linux.Trojan.Mirai
x86	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ubuntu.com/blog/microk8s-memory-optimisation	motd-news.17.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
158.73.164.6	unknown	United States	19050	TIC-DHHS-INTERIORUS	false
183.213.103.251	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
159.121.22.30	unknown	United States	1798	OREGONUS	false
155.132.163.192	unknown	France	37532	ZAMRENZM	false
97.199.8.160	unknown	United States	6167	CELLCO-PARTUS	false
180.224.232.196	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
12.61.219.1	unknown	United States	7018	ATT-INTERNET4US	false
255.159.244.48	unknown	Reserved	unknown	unknown	false
206.223.243.42	unknown	United States	32204	KPUNETUS	false
14.183.60.165	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
82.22.24.220	unknown	United Kingdom	5089	NTLGB	false
88.86.153.238	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
125.166.6.7	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
44.211.207.114	unknown	United States	14618	AMAZON-AESUS	false
202.132.246.96	unknown	Taiwan; Republic of China (ROC)	9924	TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi	false
184.136.53.234	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
76.35.148.229	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
117.57.68.245	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
198.153.190.22	unknown	United States	55221	NPG-ASUS	false
88.236.99.235	unknown	Turkey	9121	TTNETTR	false
158.38.7.66	unknown	Norway	224	UNINETTUNINETTTheNorwegianUniversityResearchNetwork	false
133.152.175.194	unknown	Japan	17819	ASN-EQUINIX-APEquinixAsiaPacificSG	false
17.20.86.44	unknown	United States	714	APPLE-ENGINEERINGUS	false
217.249.44.246	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
152.255.176.33	unknown	Brazil	26599	TELEFONICABRASILSABR	false
77.37.107.97	unknown	Germany	8893	ARTFILES-ASZirkusweg1DE	false
138.226.98.73	unknown	Switzerland	12980	EMEAHostingAutonomousSystemEU	false
147.166.88.168	unknown	United States	1452	DNIC-ASBLK-01451-01456US	false
27.151.37.23	unknown	China	133774	CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN	false
12.164.149.163	unknown	United States	7018	ATT-INTERNET4US	false
76.225.145.21	unknown	United States	7018	ATT-INTERNET4US	false
172.245.6.39	unknown	United States	55286	SERVER-MANIACA	false
220.6.222.134	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
67.58.76.64	unknown	United States	27221	ARDMORE-TELUS	false
80.222.97.33	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
216.218.72.80	unknown	United States	20257	FTC-INETUS	false
191.196.35.86	unknown	Brazil	26599	TELEFONICABRASILSABR	false
81.162.191.193	unknown	Moldova Republic of	57598	FIBERHOP-ASNMD	false
195.71.65.187	unknown	Germany	6805	TDDE-ASN1DE	false
106.94.251.255	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
195.64.154.153	unknown	Ukraine	197726	UKRNAMES-ASUA	false
77.156.42.5	unknown	France	15557	LDCOMNETFR	false
152.196.192.223	unknown	United States	701	UUNETUS	false
93.161.25.227	unknown	Denmark	3292	TDCTDCASDK	false
159.37.110.25	unknown	United States	30449	AZSTATEUS	false
87.15.59.112	unknown	Italy	3269	ASN-IBSNAZIT	false
64.1.145.57	unknown	United States	2828	XO-AS15US	false
108.22.97.108	unknown	United States	701	UUNETUS	false
62.35.61.113	unknown	France	5410	BOUYGTEL-ISPFR	false
240.55.97.156	unknown	Reserved	unknown	unknown	false
147.171.34.38	unknown	France	1942	FR-TIGREToileInformatiqueGREnobloiseEU	false
104.15.73.28	unknown	United States	7018	ATT-INTERNET4US	false
83.97.13.148	unknown	Netherlands	30879	RAI-ASNL	false
18.41.244.81	unknown	United States	3	MIT-GATEWAYSUS	false
75.230.2.147	unknown	United States	22394	CELLCOUS	false
213.30.159.24	unknown	France	12670	AS-COMPLETELFR	false
89.189.111.208	unknown	Russian Federation	41349	MVMTECH-ASRU	false
35.129.6.125	unknown	United States	20115	CHARTER-20115US	false
241.213.38.46	unknown	Reserved	unknown	unknown	false
160.217.211.17	unknown	Czech Republic	2852	CESNET2CZ	false
220.229.198.13	unknown	Taiwan; Republic of China (ROC)	9919	NCIC-TWNewCenturyInfoCommTechCoLtdTW	false
147.200.14.160	unknown	Australia	55542	RMSNET-AS-APRoadsandMaritimeServicesAU	false
150.170.142.115	unknown	United States	26438	MONROE-COMMUNITY-COLLEGEUS	false
76.2.64.79	unknown	United States	14921	CENTURYLINK-LEGACY-EMBARQ-HDRVUS	false
81.126.248.41	unknown	Italy	3269	ASN-IBSNAZIT	false
253.211.173.107	unknown	Reserved	unknown	unknown	false
31.119.40.0	unknown	United Kingdom	12576	EELtdGB	false
180.241.233.157	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
20.82.204.32	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
1.3.127.53	unknown	China	13335	CLOUDFLARENETUS	false
95.76.74.187	unknown	Romania	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
252.59.166.227	unknown	Reserved	unknown	unknown	false
86.35.76.176	unknown	Romania	9050	RTDBucharestRomaniaRO	false
63.59.220.25	unknown	United States	701	UUNETUS	false
39.162.123.35	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
147.100.61.19	unknown	France	2200	FR-RENATERReseauNationaldetelecommunicationspourlaTec	false
248.163.189.243	unknown	Reserved	unknown	unknown	false
187.139.246.120	unknown	Mexico	8151	UninetSAdeCVMX	false
195.113.110.44	unknown	Czech Republic	2852	CESNET2CZ	false
177.249.48.53	unknown	Mexico	16960	CablevisionRedSAdeCVMX	false
202.165.86.173	unknown	Australia	10113	EFTEL-AS-APEftelLimitedAU	false
207.40.248.96	unknown	United States	1239	SPRINTLINKUS	false
206.230.26.182	unknown	United States	1239	SPRINTLINKUS	false
174.98.153.220	unknown	United States	10796	TWC-10796-MIDWESTUS	false
164.28.9.155	unknown	Germany	29355	KCELL-ASKZ	false
175.8.178.190	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
73.11.175.211	unknown	United States	7922	COMCAST-7922US	false
117.7.194.187	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
77.247.70.31	unknown	Denmark	31590	RACKHOSTING-ASDK	false
2.78.150.211	unknown	Kazakhstan	29355	KCELL-ASKZ	false
104.156.200.250	unknown	United States	21743	ANL-36US	false
174.102.8.48	unknown	United States	10796	TWC-10796-MIDWESTUS	false
164.4.87.160	unknown	Sweden	44013	SANDVIK-ASSE	false
197.50.232.231	unknown	Egypt	8452	TE-ASTE-ASEG	false
195.66.140.144	unknown	Ukraine	39027	BATYEVKA-NET-ASUA	false
244.54.225.33	unknown	Reserved	unknown	unknown	false
32.108.138.1	unknown	United States	2688	ATGS-MMD-ASUS	false
201.60.59.246	unknown	Brazil	27699	TELEFONICABRASILSABR	false
67.34.85.77	unknown	United States	6389	BELLSOUTH-NET-BLKUS	false
193.252.238.252	unknown	France	3215	FranceTelecom-OrangeFR	false

Runtime Messages

Command:	/tmp/x86
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest'/proc/'/exe
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/var/cache/motd-news Download File
Process:	/usr/bin/cut
File Type:	ASCII text
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.515771857099866
Encrypted:	false
SSDEEP:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
MD5:	DD514F892B5F93ED615D366E58AC58AF
SHA1:	BA75EDB3C2232CC260BC187F604DC8F25AA72C11
SHA-256:	F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF
SHA-512:	9150BDE63F6C4850C5340D8877892B4D9BBF9EBDC98CDCF557A93FA304C1222CEE446418F5BE2ACCDBF38393778AFA5D4F3EDCB37A47BF57D3A4B2DEAD42A2D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	* Super-optimized for small spaces - read how we shrank the memory. footprint of MicroK8s to make it the smallest full K8s around... https://ubuntu.com/blog/microk8s-memory-optimisation.

Static File Info

General
File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.4083584263947255
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	x86
File size:	66136
MD5:	7a4f14429f8c54d68656cfafc8528a34
SHA1:	d892fbd509b99745ee003ed803bc582b9b190ce9
SHA256:	146bbed5eaaf63f99842e41f64ac4771c3622ff9f6db8712a89a0731d4ec6a95
SHA512:	590fdae2eb9c336f5485ab46d7e50b7c5ac0363f293ccdb4c8d7ecc3a8adef67af54d606d33beb319904a1e4553f4944cfc0dd61c575d291e44bba5114b94d1e
SSDEEP:	1536:IoRC9170vwHbQXZ5+qXDEuXi90dSW7V/DjObeFt6PuQ4Zx:PC917iwHbQXZ5+qXA594SWZ/XObeb6G7
File Content Preview:	.ELF....................d...4...........4. ...(..................... ... ...........................................Q.td............................U..S.......w....h........[]...$.............U......=.....t..5....$......$.......u........t....h {..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	65736
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0xe906	0x0	0x6	AX	16
.fini	PROGBITS	0x80569b6	0xe9b6	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x80569e0	0xe9e0	0x1140	0x0	0x2	A	32
.ctors	PROGBITS	0x8058000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8058008	0x10008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8058020	0x10020	0x68	0x0	0x3	WA	4
.bss	NOBITS	0x80580a0	0x10088	0x860	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x10088	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0xfb20	0xfb20	3.8566	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x10000	0x8058000	0x8058000	0x88	0x900	1.0811	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 16:49:03.493927002 CET	45900	1791	192.168.2.23	107.189.12.189
Jan 14, 2022 16:49:03.494188070 CET	56051	23	192.168.2.23	243.37.169.55
Jan 14, 2022 16:49:03.494209051 CET	56051	23	192.168.2.23	35.136.197.55
Jan 14, 2022 16:49:03.494227886 CET	56051	23	192.168.2.23	89.212.117.85
Jan 14, 2022 16:49:03.494226933 CET	56051	23	192.168.2.23	251.241.205.121
Jan 14, 2022 16:49:03.494237900 CET	56051	23	192.168.2.23	250.157.118.1
Jan 14, 2022 16:49:03.494230986 CET	56051	23	192.168.2.23	98.122.69.132
Jan 14, 2022 16:49:03.494237900 CET	56051	23	192.168.2.23	24.87.252.192
Jan 14, 2022 16:49:03.494266987 CET	56051	23	192.168.2.23	198.219.62.200
Jan 14, 2022 16:49:03.494275093 CET	56051	23	192.168.2.23	202.222.25.214
Jan 14, 2022 16:49:03.494282007 CET	56051	23	192.168.2.23	183.23.73.201
Jan 14, 2022 16:49:03.494287014 CET	56051	23	192.168.2.23	165.207.214.42
Jan 14, 2022 16:49:03.494297981 CET	56051	23	192.168.2.23	119.79.202.102
Jan 14, 2022 16:49:03.494297981 CET	56051	23	192.168.2.23	48.75.93.136
Jan 14, 2022 16:49:03.494313955 CET	56051	23	192.168.2.23	197.34.228.50
Jan 14, 2022 16:49:03.494311094 CET	56051	23	192.168.2.23	191.20.42.9
Jan 14, 2022 16:49:03.494314909 CET	56051	23	192.168.2.23	161.87.247.228
Jan 14, 2022 16:49:03.494322062 CET	56051	23	192.168.2.23	107.227.7.215
Jan 14, 2022 16:49:03.494343996 CET	56051	23	192.168.2.23	203.114.238.6
Jan 14, 2022 16:49:03.494353056 CET	56051	23	192.168.2.23	164.142.229.195
Jan 14, 2022 16:49:03.494359016 CET	56051	23	192.168.2.23	119.162.103.213
Jan 14, 2022 16:49:03.494362116 CET	56051	23	192.168.2.23	191.8.159.234
Jan 14, 2022 16:49:03.495537043 CET	56051	23	192.168.2.23	109.22.115.235
Jan 14, 2022 16:49:03.495554924 CET	56051	23	192.168.2.23	135.138.75.14
Jan 14, 2022 16:49:03.495565891 CET	56051	23	192.168.2.23	60.232.21.233
Jan 14, 2022 16:49:03.495565891 CET	56051	23	192.168.2.23	254.170.80.221
Jan 14, 2022 16:49:03.495569944 CET	56051	23	192.168.2.23	4.135.61.101
Jan 14, 2022 16:49:03.495570898 CET	56051	23	192.168.2.23	174.126.40.176
Jan 14, 2022 16:49:03.495578051 CET	56051	23	192.168.2.23	42.24.90.226
Jan 14, 2022 16:49:03.495579004 CET	56051	23	192.168.2.23	81.165.92.42
Jan 14, 2022 16:49:03.495587111 CET	56051	23	192.168.2.23	78.222.25.18
Jan 14, 2022 16:49:03.495589018 CET	56051	23	192.168.2.23	184.201.199.67
Jan 14, 2022 16:49:03.495594978 CET	56051	23	192.168.2.23	69.251.93.46
Jan 14, 2022 16:49:03.495599031 CET	56051	23	192.168.2.23	142.122.144.133
Jan 14, 2022 16:49:03.495600939 CET	56051	23	192.168.2.23	182.178.24.227
Jan 14, 2022 16:49:03.495601892 CET	56051	23	192.168.2.23	88.24.163.118
Jan 14, 2022 16:49:03.495610952 CET	56051	23	192.168.2.23	150.170.142.115
Jan 14, 2022 16:49:03.495614052 CET	56051	23	192.168.2.23	101.247.37.89
Jan 14, 2022 16:49:03.495635033 CET	56051	23	192.168.2.23	84.234.37.29
Jan 14, 2022 16:49:03.495647907 CET	56051	23	192.168.2.23	190.146.146.14
Jan 14, 2022 16:49:03.495659113 CET	56051	23	192.168.2.23	144.3.114.9
Jan 14, 2022 16:49:03.495672941 CET	56051	23	192.168.2.23	90.16.177.238
Jan 14, 2022 16:49:03.495675087 CET	56051	23	192.168.2.23	196.82.139.146
Jan 14, 2022 16:49:03.495678902 CET	56051	23	192.168.2.23	27.181.160.181
Jan 14, 2022 16:49:03.495682001 CET	56051	23	192.168.2.23	165.201.208.107
Jan 14, 2022 16:49:03.495703936 CET	56051	23	192.168.2.23	126.20.91.40
Jan 14, 2022 16:49:03.495708942 CET	56051	23	192.168.2.23	213.76.55.61
Jan 14, 2022 16:49:03.495743036 CET	56051	23	192.168.2.23	106.165.195.45
Jan 14, 2022 16:49:03.495752096 CET	56051	23	192.168.2.23	45.209.44.157
Jan 14, 2022 16:49:03.495757103 CET	56051	23	192.168.2.23	31.252.239.67
Jan 14, 2022 16:49:03.495769978 CET	56051	23	192.168.2.23	218.112.34.13
Jan 14, 2022 16:49:03.495771885 CET	56051	23	192.168.2.23	133.109.206.58
Jan 14, 2022 16:49:03.495773077 CET	56051	23	192.168.2.23	171.32.251.240
Jan 14, 2022 16:49:03.495776892 CET	56051	23	192.168.2.23	169.130.138.123
Jan 14, 2022 16:49:03.495810032 CET	56051	23	192.168.2.23	218.152.45.181
Jan 14, 2022 16:49:03.495811939 CET	56051	23	192.168.2.23	115.205.230.231
Jan 14, 2022 16:49:03.495822906 CET	56051	23	192.168.2.23	60.77.211.199
Jan 14, 2022 16:49:03.495832920 CET	56051	23	192.168.2.23	78.104.112.106
Jan 14, 2022 16:49:03.495839119 CET	56051	23	192.168.2.23	113.169.201.101
Jan 14, 2022 16:49:03.495846987 CET	56051	23	192.168.2.23	172.227.121.106
Jan 14, 2022 16:49:03.495855093 CET	56051	23	192.168.2.23	211.41.137.85
Jan 14, 2022 16:49:03.495862007 CET	56051	23	192.168.2.23	110.13.0.233
Jan 14, 2022 16:49:03.495862007 CET	56051	23	192.168.2.23	179.68.169.85
Jan 14, 2022 16:49:03.495862961 CET	56051	23	192.168.2.23	157.44.38.200
Jan 14, 2022 16:49:03.495863914 CET	56051	23	192.168.2.23	101.218.97.48
Jan 14, 2022 16:49:03.495865107 CET	56051	23	192.168.2.23	101.150.163.235
Jan 14, 2022 16:49:03.495867014 CET	56051	23	192.168.2.23	118.134.88.107
Jan 14, 2022 16:49:03.495868921 CET	56051	23	192.168.2.23	204.24.236.48
Jan 14, 2022 16:49:03.495882034 CET	56051	23	192.168.2.23	241.203.59.238
Jan 14, 2022 16:49:03.495893955 CET	56051	23	192.168.2.23	77.249.181.147
Jan 14, 2022 16:49:03.495902061 CET	56051	23	192.168.2.23	156.108.68.118
Jan 14, 2022 16:49:03.495909929 CET	56051	23	192.168.2.23	119.24.8.255
Jan 14, 2022 16:49:03.495917082 CET	56051	23	192.168.2.23	181.30.138.216
Jan 14, 2022 16:49:03.495927095 CET	56051	23	192.168.2.23	177.254.1.206
Jan 14, 2022 16:49:03.495932102 CET	56051	23	192.168.2.23	161.229.43.226
Jan 14, 2022 16:49:03.495932102 CET	56051	23	192.168.2.23	218.242.245.21
Jan 14, 2022 16:49:03.495933056 CET	56051	23	192.168.2.23	192.135.34.33
Jan 14, 2022 16:49:03.495934010 CET	56051	23	192.168.2.23	78.151.203.223
Jan 14, 2022 16:49:03.495932102 CET	56051	23	192.168.2.23	196.229.26.247
Jan 14, 2022 16:49:03.495939970 CET	56051	23	192.168.2.23	179.26.100.88
Jan 14, 2022 16:49:03.495944977 CET	56051	23	192.168.2.23	38.151.184.175
Jan 14, 2022 16:49:03.495949030 CET	56051	23	192.168.2.23	53.124.0.146
Jan 14, 2022 16:49:03.496011019 CET	56051	23	192.168.2.23	147.51.19.153
Jan 14, 2022 16:49:03.496015072 CET	56051	23	192.168.2.23	155.251.203.58
Jan 14, 2022 16:49:03.496020079 CET	56051	23	192.168.2.23	189.128.193.232
Jan 14, 2022 16:49:03.496021032 CET	56051	23	192.168.2.23	164.39.119.160
Jan 14, 2022 16:49:03.496023893 CET	56051	23	192.168.2.23	121.111.152.8
Jan 14, 2022 16:49:03.496025085 CET	56051	23	192.168.2.23	45.132.3.167
Jan 14, 2022 16:49:03.496023893 CET	56051	23	192.168.2.23	72.228.47.33
Jan 14, 2022 16:49:03.496025085 CET	56051	23	192.168.2.23	208.80.104.231
Jan 14, 2022 16:49:03.496031046 CET	56051	23	192.168.2.23	99.228.146.144
Jan 14, 2022 16:49:03.496031046 CET	56051	23	192.168.2.23	71.244.230.226
Jan 14, 2022 16:49:03.496033907 CET	56051	23	192.168.2.23	217.253.22.107
Jan 14, 2022 16:49:03.496037960 CET	56051	23	192.168.2.23	62.160.128.68
Jan 14, 2022 16:49:03.496048927 CET	56051	23	192.168.2.23	75.253.223.171
Jan 14, 2022 16:49:03.496053934 CET	56051	23	192.168.2.23	9.207.193.194
Jan 14, 2022 16:49:03.496056080 CET	56051	23	192.168.2.23	116.230.228.53
Jan 14, 2022 16:49:03.496062994 CET	56051	23	192.168.2.23	124.165.104.193
Jan 14, 2022 16:49:03.496067047 CET	56051	23	192.168.2.23	196.19.177.106
Jan 14, 2022 16:49:03.496071100 CET	56051	23	192.168.2.23	118.60.99.50

System Behavior

Analysis Process: dash PID: 5207 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 5207 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.jjJ0hUD84m
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: dash PID: 5208 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: head PID: 5208 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Analysis Process: dash PID: 5209 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: tr PID: 5209 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Analysis Process: dash PID: 5210 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cut PID: 5210 Parent PID: 4331

General

Start time:	16:48:52
Start date:	14/01/2022
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Analysis Process: dash PID: 5211 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 5211 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.jjJ0hUD84m
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: dash PID: 5212 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: head PID: 5212 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Analysis Process: dash PID: 5213 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: tr PID: 5213 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Analysis Process: dash PID: 5214 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cut PID: 5214 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Analysis Process: dash PID: 5217 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5217 Parent PID: 4331

General

Start time:	16:48:53
Start date:	14/01/2022
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.jjJ0hUD84m /tmp/tmp.W8UIKPggkC /tmp/tmp.KmcGhooTuj
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: x86 PID: 5244 Parent PID: 5129

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	/tmp/x86
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Analysis Process: x86 PID: 5245 Parent PID: 5244

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Analysis Process: x86 PID: 5246 Parent PID: 5244

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Analysis Process: x86 PID: 5247 Parent PID: 5244

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Analysis Process: x86 PID: 5248 Parent PID: 5247

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Analysis Process: x86 PID: 5249 Parent PID: 5247

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Analysis Process: x86 PID: 5250 Parent PID: 5247

General

Start time:	16:49:02
Start date:	14/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	66136 bytes
MD5 hash:	7a4f14429f8c54d68656cfafc8528a34

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report x86

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 5207 Parent PID: 4331

General

Analysis Process: cat PID: 5207 Parent PID: 4331

General

Analysis Process: dash PID: 5208 Parent PID: 4331

General

Analysis Process: head PID: 5208 Parent PID: 4331

General

Analysis Process: dash PID: 5209 Parent PID: 4331

General

Analysis Process: tr PID: 5209 Parent PID: 4331

General

Analysis Process: dash PID: 5210 Parent PID: 4331

General

Analysis Process: cut PID: 5210 Parent PID: 4331

General

Analysis Process: dash PID: 5211 Parent PID: 4331

General

Analysis Process: cat PID: 5211 Parent PID: 4331

General

Analysis Process: dash PID: 5212 Parent PID: 4331

General

Analysis Process: head PID: 5212 Parent PID: 4331