Linux Analysis Report phantom.arm

Overview

General Information

Sample Name: phantom.arm
Analysis ID: 553471
MD5: 68e2af8c373a84efe401eb533d3c1e81
SHA1: a1cdeb4ebe3eb3325aa8d54a8a98d450baa979e8
SHA256: 69de6fe6f58b418869a77daf57cb8ff21d3ef60793f8ec8101fde750746252ee
Tags: Mirai
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample contains only a LOAD segment without any section mappings
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "systemctl" command used for controlling the systemd system and service manager
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: phantom.arm Virustotal: Detection: 28% Perma Link
Source: phantom.arm ReversingLabs: Detection: 37%

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 716 INFO TELNET access 103.199.146.177:23 -> 192.168.2.23:44952
Source: Traffic Snort IDS: 477 ICMP Source Quench 172.30.17.162: -> 192.168.2.23:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.250.173.125:23 -> 192.168.2.23:43184
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.250.173.125:23 -> 192.168.2.23:43184
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39180
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39180
Source: Traffic Snort IDS: 716 INFO TELNET access 103.199.146.177:23 -> 192.168.2.23:45054
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39256
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39256
Source: Traffic Snort IDS: 716 INFO TELNET access 31.204.165.221:23 -> 192.168.2.23:54588
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39324
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39324
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39366
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 188.247.179.52:23 -> 192.168.2.23:53228
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 188.247.179.52:23 -> 192.168.2.23:53228
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39366
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39374
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39374
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.247.96:23 -> 192.168.2.23:52858
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.247.96:23 -> 192.168.2.23:52858
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.247.96:23 -> 192.168.2.23:52864
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.247.96:23 -> 192.168.2.23:52864
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39404
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.250.173.125:23 -> 192.168.2.23:43430
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.250.173.125:23 -> 192.168.2.23:43430
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.247.96:23 -> 192.168.2.23:52870
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.247.96:23 -> 192.168.2.23:52870
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.247.96:23 -> 192.168.2.23:52876
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.247.96:23 -> 192.168.2.23:52876
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39404
Source: Traffic Snort IDS: 716 INFO TELNET access 103.199.146.177:23 -> 192.168.2.23:45288
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39466
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39466
Source: Traffic Snort IDS: 716 INFO TELNET access 31.204.165.221:23 -> 192.168.2.23:54754
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39512
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39512
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58102
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.195.194.215:23 -> 192.168.2.23:35742
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.195.194.215:23 -> 192.168.2.23:35742
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58102
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39560
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39560
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58122
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.172.162.228:23 -> 192.168.2.23:50800
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.172.162.228:23 -> 192.168.2.23:50800
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58122
Source: Traffic Snort IDS: 716 INFO TELNET access 201.184.50.75:23 -> 192.168.2.23:39596
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58164
Source: Traffic Snort IDS: 492 INFO TELNET login failed 201.184.50.75:23 -> 192.168.2.23:39596
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.195.194.215:23 -> 192.168.2.23:35800
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.195.194.215:23 -> 192.168.2.23:35800
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58164
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58200
Source: Traffic Snort IDS: 716 INFO TELNET access 103.199.146.177:23 -> 192.168.2.23:45488
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 1.232.65.16:23 -> 192.168.2.23:35120
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 1.232.65.16:23 -> 192.168.2.23:35120
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58200
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.250.173.125:23 -> 192.168.2.23:43692
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.250.173.125:23 -> 192.168.2.23:43692
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58210
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.23:22518 -> 63.153.187.104:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.195.194.215:23 -> 192.168.2.23:35860
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.195.194.215:23 -> 192.168.2.23:35860
Source: Traffic Snort IDS: 716 INFO TELNET access 1.34.205.104:23 -> 192.168.2.23:38186
Source: Traffic Snort IDS: 716 INFO TELNET access 31.204.165.221:23 -> 192.168.2.23:54960
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58210
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 1.34.205.104:23 -> 192.168.2.23:38186
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 1.34.205.104:23 -> 192.168.2.23:38186
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58248
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58248
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45284
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 1.232.65.16:23 -> 192.168.2.23:35174
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 1.232.65.16:23 -> 192.168.2.23:35174
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.195.194.215:23 -> 192.168.2.23:35914
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.195.194.215:23 -> 192.168.2.23:35914
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45318
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58296
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58296
Source: Traffic Snort IDS: 716 INFO TELNET access 1.34.205.104:23 -> 192.168.2.23:38266
Source: Traffic Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 91.150.15.83: -> 192.168.2.23:
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45332
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58334
Source: Traffic Snort IDS: 716 INFO TELNET access 219.157.79.194:23 -> 192.168.2.23:43646
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45360
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58334
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 1.34.205.104:23 -> 192.168.2.23:38266
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 1.34.205.104:23 -> 192.168.2.23:38266
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45380
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.195.194.215:23 -> 192.168.2.23:35992
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.195.194.215:23 -> 192.168.2.23:35992
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58380
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.172.162.228:23 -> 192.168.2.23:51044
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.172.162.228:23 -> 192.168.2.23:51044
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 1.232.65.16:23 -> 192.168.2.23:35278
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 1.232.65.16:23 -> 192.168.2.23:35278
Source: Traffic Snort IDS: 492 INFO TELNET login failed 189.58.246.113:23 -> 192.168.2.23:58380
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45402
Source: Traffic Snort IDS: 716 INFO TELNET access 103.199.146.177:23 -> 192.168.2.23:45686
Source: Traffic Snort IDS: 716 INFO TELNET access 179.53.253.105:23 -> 192.168.2.23:45428
Source: Traffic Snort IDS: 716 INFO TELNET access 1.34.205.104:23 -> 192.168.2.23:38362
Source: Traffic Snort IDS: 716 INFO TELNET access 189.58.246.113:23 -> 192.168.2.23:58410
Source: Traffic Snort IDS: 716 INFO TELNET access 219.157.79.194:23 -> 192.168.2.23:43722
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47638
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47648
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47652
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47658
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47660
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47666
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47670
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47674
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47688
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:54994 -> 95.213.159.92:1312
Sample listens on a socket
Source: /tmp/phantom.arm (PID: 5269) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/phantom.arm (PID: 5269) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/phantom.arm (PID: 5269) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/phantom.arm (PID: 5269) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) Socket: 0.0.0.0::37215 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 95.213.159.92
Source: unknown TCP traffic detected without corresponding DNS query: 78.15.236.47
Source: unknown TCP traffic detected without corresponding DNS query: 171.146.215.234
Source: unknown TCP traffic detected without corresponding DNS query: 250.9.232.102
Source: unknown TCP traffic detected without corresponding DNS query: 201.136.228.235
Source: unknown TCP traffic detected without corresponding DNS query: 92.175.203.112
Source: unknown TCP traffic detected without corresponding DNS query: 1.246.226.181
Source: unknown TCP traffic detected without corresponding DNS query: 12.1.58.108
Source: unknown TCP traffic detected without corresponding DNS query: 150.172.150.52
Source: unknown TCP traffic detected without corresponding DNS query: 79.248.5.113
Source: unknown TCP traffic detected without corresponding DNS query: 104.129.192.210
Source: unknown TCP traffic detected without corresponding DNS query: 8.219.44.184
Source: unknown TCP traffic detected without corresponding DNS query: 16.142.249.237
Source: unknown TCP traffic detected without corresponding DNS query: 83.245.39.248
Source: unknown TCP traffic detected without corresponding DNS query: 130.182.214.84
Source: unknown TCP traffic detected without corresponding DNS query: 118.220.165.88
Source: unknown TCP traffic detected without corresponding DNS query: 78.2.62.95
Source: unknown TCP traffic detected without corresponding DNS query: 251.84.123.3
Source: unknown TCP traffic detected without corresponding DNS query: 206.168.234.135
Source: unknown TCP traffic detected without corresponding DNS query: 216.43.53.99
Source: unknown TCP traffic detected without corresponding DNS query: 87.26.247.112
Source: unknown TCP traffic detected without corresponding DNS query: 166.91.49.158
Source: unknown TCP traffic detected without corresponding DNS query: 154.245.101.199
Source: unknown TCP traffic detected without corresponding DNS query: 201.191.243.180
Source: unknown TCP traffic detected without corresponding DNS query: 182.28.122.109
Source: unknown TCP traffic detected without corresponding DNS query: 241.69.23.37
Source: unknown TCP traffic detected without corresponding DNS query: 246.105.67.55
Source: unknown TCP traffic detected without corresponding DNS query: 90.114.119.155
Source: unknown TCP traffic detected without corresponding DNS query: 5.78.99.26
Source: unknown TCP traffic detected without corresponding DNS query: 213.80.157.48
Source: unknown TCP traffic detected without corresponding DNS query: 53.229.27.66
Source: unknown TCP traffic detected without corresponding DNS query: 244.98.182.239
Source: unknown TCP traffic detected without corresponding DNS query: 212.250.119.213
Source: unknown TCP traffic detected without corresponding DNS query: 59.2.90.159
Source: unknown TCP traffic detected without corresponding DNS query: 2.177.87.58
Source: unknown TCP traffic detected without corresponding DNS query: 217.152.165.109
Source: unknown TCP traffic detected without corresponding DNS query: 117.98.221.115
Source: unknown TCP traffic detected without corresponding DNS query: 206.54.27.59
Source: unknown TCP traffic detected without corresponding DNS query: 117.190.66.88
Source: unknown TCP traffic detected without corresponding DNS query: 222.29.117.200
Source: unknown TCP traffic detected without corresponding DNS query: 154.104.78.194
Source: unknown TCP traffic detected without corresponding DNS query: 133.39.250.188
Source: unknown TCP traffic detected without corresponding DNS query: 208.253.140.3
Source: unknown TCP traffic detected without corresponding DNS query: 19.195.87.89
Source: unknown TCP traffic detected without corresponding DNS query: 5.73.14.164
Source: unknown TCP traffic detected without corresponding DNS query: 186.15.66.140
Source: unknown TCP traffic detected without corresponding DNS query: 60.33.51.60
Source: unknown TCP traffic detected without corresponding DNS query: 111.133.95.56
Source: unknown TCP traffic detected without corresponding DNS query: 118.8.151.128
Source: unknown TCP traffic detected without corresponding DNS query: 75.168.5.59
Source: phantom.arm String found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/phantom.arm (PID: 5269) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 5269, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Sample tries to kill a process (SIGKILL)
Source: /tmp/phantom.arm (PID: 5269) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 5269, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: classification engine Classification label: mal76.spre.troj.evad.linARM@0/53@0/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/4331/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/5025/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/910/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/912/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/912/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/912/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/759/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/759/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/759/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/517/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/4449/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/918/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/918/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/918/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1594/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2285/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2281/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1349/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1623/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/761/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/761/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/761/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1622/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/884/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/884/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/884/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1983/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2038/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1586/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1465/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1344/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1860/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1860/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1463/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2156/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/800/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/800/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/800/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/5269/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/801/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/801/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/801/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1629/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1627/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1900/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/5167/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/5168/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/491/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/491/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/491/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2294/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2050/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1877/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/772/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/772/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/772/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1633/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1599/fd Jump to behavior
Source: /tmp/phantom.arm (PID: 5275) File opened: /proc/1599/exe Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/sbin/logrotate (PID: 5217) Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " Jump to behavior
Source: /usr/sbin/logrotate (PID: 5231) Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/invoke-rc.d (PID: 5227) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 5229) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5233) Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5306) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6bzhR9it8a /tmp/tmp.11SQvYZQLl /tmp/tmp.GrXK897oec Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47638
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47648
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47652
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47658
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47660
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47666
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47670
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47674
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47688

Malware Analysis System Evasion:

barindex
Deletes log files
Source: /usr/sbin/logrotate (PID: 5174) Truncated file: /var/log/cups/access_log.1 Jump to behavior
Source: /usr/sbin/logrotate (PID: 5174) Truncated file: /var/log/syslog.1 Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/phantom.arm (PID: 5267) Queries kernel information via 'uname': Jump to behavior
Source: 5215.8.dr Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5215.8.dr Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5215.8.dr Binary or memory string: qemu-or1k
Source: 5215.8.dr Binary or memory string: qemu-riscv64
Source: 5215.8.dr Binary or memory string: {cqemu
Source: 5215.8.dr Binary or memory string: qemu-arm
Source: 5215.8.dr Binary or memory string: (qemu
Source: 5215.8.dr Binary or memory string: qemu-tilegx
Source: 5215.8.dr Binary or memory string: qemu-hppa
Source: 5215.8.dr Binary or memory string: q{rqemu%
Source: 5215.8.dr Binary or memory string: )qemu
Source: 5215.8.dr Binary or memory string: vmware-toolbox-cmd
Source: 5215.8.dr Binary or memory string: qemu-ppc
Source: 5215.8.dr Binary or memory string: Tqemu9
Source: 5215.8.dr Binary or memory string: qemu-aarch64_be
Source: 5215.8.dr Binary or memory string: 0qemu9
Source: 5215.8.dr Binary or memory string: qemu-sparc64
Source: 5215.8.dr Binary or memory string: qemu-mips64
Source: 5215.8.dr Binary or memory string: vV:qemu9
Source: 5215.8.dr Binary or memory string: qemu-ppc64le
Source: 5215.8.dr Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5215.8.dr Binary or memory string: vmware
Source: 5215.8.dr Binary or memory string: qemu-cris
Source: 5215.8.dr Binary or memory string: libvmtools
Source: 5215.8.dr Binary or memory string: qemu-m68k
Source: 5215.8.dr Binary or memory string: qemu-xtensa
Source: 5215.8.dr Binary or memory string: 9qemu
Source: phantom.arm, 5267.1.000000006c77c041.0000000032ab47e5.rw-.sdmp, phantom.arm, 5269.1.000000006c77c041.0000000032ab47e5.rw-.sdmp, phantom.arm, 5271.1.000000006c77c041.0000000032ab47e5.rw-.sdmp, phantom.arm, 5277.1.000000006c77c041.0000000032ab47e5.rw-.sdmp Binary or memory string: Hx86_64/usr/bin/qemu-arm/tmp/phantom.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/phantom.arm
Source: 5215.8.dr Binary or memory string: qemu-sh4
Source: 5215.8.dr Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: phantom.arm, 5267.1.000000006c03502f.000000004f416c9f.rw-.sdmp, phantom.arm, 5269.1.000000006c03502f.000000004f416c9f.rw-.sdmp, phantom.arm, 5271.1.000000006c03502f.000000004f416c9f.rw-.sdmp, phantom.arm, 5277.1.000000006c03502f.000000004f416c9f.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: 5215.8.dr Binary or memory string: .qemu{
Source: 5215.8.dr Binary or memory string: qemu-ppc64abi32
Source: 5215.8.dr Binary or memory string: qemu-ppc64
Source: 5215.8.dr Binary or memory string: qemu-i386
Source: 5215.8.dr Binary or memory string: qemu-x86_64
Source: 5215.8.dr Binary or memory string: H~6\nqemu*q
Source: 5215.8.dr Binary or memory string: @qemu
Source: 5215.8.dr Binary or memory string: Fqqemu
Source: phantom.arm, 5267.1.000000006c03502f.000000004f416c9f.rw-.sdmp, phantom.arm, 5269.1.000000006c03502f.000000004f416c9f.rw-.sdmp, phantom.arm, 5271.1.000000006c03502f.000000004f416c9f.rw-.sdmp, phantom.arm, 5277.1.000000006c03502f.000000004f416c9f.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 5215.8.dr Binary or memory string: N4qemu
Source: 5215.8.dr Binary or memory string: ~6\nqemu*q
Source: 5215.8.dr Binary or memory string: qemu-mips64el
Source: 5215.8.dr Binary or memory string: hqemu
Source: 5215.8.dr Binary or memory string: &mqemu
Source: 5215.8.dr Binary or memory string: $qemu
Source: 5215.8.dr Binary or memory string: qemu-sparc
Source: 5215.8.dr Binary or memory string: qemu-microblaze
Source: 5215.8.dr Binary or memory string: qemu-user
Source: 5215.8.dr Binary or memory string: qemu-aarch64
Source: 5215.8.dr Binary or memory string: qemu-sh4eb
Source: 5215.8.dr Binary or memory string: iqemu
Source: 5215.8.dr Binary or memory string: qemu-mipsel
Source: 5215.8.dr Binary or memory string: qemuP`
Source: 5215.8.dr Binary or memory string: qemu-alpha
Source: 5215.8.dr Binary or memory string: qemu-microblazeel
Source: 5215.8.dr Binary or memory string: \qemu
Source: 5215.8.dr Binary or memory string: qemu-xtensaeb
Source: 5215.8.dr Binary or memory string: qemu-mipsn32el
Source: 5215.8.dr Binary or memory string: SAqemu
Source: 5215.8.dr Binary or memory string: Vqemu
Source: 5215.8.dr Binary or memory string: qemu-mipsn32
Source: 5215.8.dr Binary or memory string: qemuAU
Source: 5215.8.dr Binary or memory string: qemu-riscv32
Source: 5215.8.dr Binary or memory string: qemu-sparc32plus
Source: 5215.8.dr Binary or memory string: 7,qemu
Source: 5215.8.dr Binary or memory string: qemu-s390x
Source: 5215.8.dr Binary or memory string: vmware-checkvm
Source: 5215.8.dr Binary or memory string: qemu-nios2
Source: 5215.8.dr Binary or memory string: qemu-armeb
Source: 5215.8.dr Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5215.8.dr Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5215.8.dr Binary or memory string: I_qemu
Source: phantom.arm, 5267.1.000000006c77c041.0000000032ab47e5.rw-.sdmp, phantom.arm, 5269.1.000000006c77c041.0000000032ab47e5.rw-.sdmp, phantom.arm, 5271.1.000000006c77c041.0000000032ab47e5.rw-.sdmp, phantom.arm, 5277.1.000000006c77c041.0000000032ab47e5.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: 5215.8.dr Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5215.8.dr Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5215.8.dr Binary or memory string: qemu-mips
Source: 5215.8.dr Binary or memory string: qemuj\
Source: 5215.8.dr Binary or memory string: {qemuQ&
Source: 5215.8.dr Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5215.8.dr Binary or memory string: vmware-xferlogs

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs