Linux Analysis Report phantom.arm7

Overview

General Information

Sample Name: phantom.arm7
Analysis ID: 553476
MD5: 694e279c1a0cbc31db51aa3f1ee49b3e
SHA1: d4fd45382263f89824d73cc136f8dcd21bab20a0
SHA256: a75929884ae4782e41a878045f161f6cb2aaac641481db6060dde22bdc412761
Tags: Mirai
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes the "systemctl" command used for controlling the systemd system and service manager
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: phantom.arm7 Virustotal: Detection: 41% Perma Link
Source: phantom.arm7 ReversingLabs: Detection: 44%

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49572
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:53454
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:53454
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49592
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.122.237.221:23 -> 192.168.2.23:41146
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41632
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41632
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49598
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49634
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49686
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41746
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41746
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49722
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33916
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33922
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49738
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33926
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33930
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33938
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33946
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49758
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33954
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33956
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41804
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41804
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33966
Source: Traffic Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49786
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38248
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38248
Source: Traffic Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33968
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:45982
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:45982
Source: Traffic Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55336
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41846 -> 74.198.250.247:23
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:45996
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:53696
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:53696
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41846
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41846
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:45996
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46026
Source: Traffic Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:55940
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46026
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46040
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41888
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41888
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46040
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46050
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:55956
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:55956
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46050
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41906
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41906
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46102
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:55970
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:55970
Source: Traffic Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55456
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:56020 -> 72.207.43.142:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38380
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38380
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46102
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46154
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46154
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46124
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:56030
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:56030
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41976
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41976
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46124
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:53832 -> 14.167.206.80:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:53832
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:53832
Source: Traffic Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:56046
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46146
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46182
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46182
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46146
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:56054
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:56054
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46206
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:42024
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:42024
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46206
Source: Traffic Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46238
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46280
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46280
Source: Traffic Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46238
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:42094
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:42094
Source: Traffic Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55610
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46346
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46346
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.207.147.166:23 -> 192.168.2.23:58992
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.207.147.166:23 -> 192.168.2.23:58992
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38576
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38576
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:42170
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:42170
Source: Traffic Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:56242
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46390
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46390
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:54054
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:54054
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41842
Source: Traffic Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 188.151.251.33: -> 192.168.2.23:
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41842
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38844
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38844
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41866
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38872
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38872
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46424
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46424
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41866
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42840
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38888
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38888
Source: Traffic Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55760
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41908
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42860
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.161.31.122:23 -> 192.168.2.23:58914
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.161.31.122:23 -> 192.168.2.23:58914
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43246
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38934
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38934
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41908
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43278
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38954
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38954
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41968
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42910
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43296
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46518
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46518
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.207.147.166:23 -> 192.168.2.23:59182
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.207.147.166:23 -> 192.168.2.23:59182
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41968
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:38776 -> 108.16.178.69:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38976
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38976
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38776
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38776
Source: Traffic Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:56420
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43316
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42024
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39004
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39004
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42944
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53028
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42024
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53028
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 209.105.129.228:23 -> 192.168.2.23:40670
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 209.105.129.228:23 -> 192.168.2.23:40670
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39066
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39066
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43362
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40422
Source: Traffic Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37036
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40438
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46620
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46620
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43032
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.28.118.143:23 -> 192.168.2.23:45014
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.28.118.143:23 -> 192.168.2.23:45014
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42120
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53106
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40456
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39120
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39120
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40460
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53106
Source: Traffic Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34316
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40472
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43438
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40492
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42120
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40514
Source: Traffic Snort IDS: 716 INFO TELNET access 85.91.114.142:23 -> 192.168.2.23:40434
Source: Traffic Snort IDS: 716 INFO TELNET access 38.18.160.116:23 -> 192.168.2.23:36578
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43096
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45482
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53182
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39166
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39166
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:54382
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:54382
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43508
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40528
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:38888 -> 118.39.94.196:23
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40530
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53182
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34316
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42216
Source: Traffic Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40552
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43538
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.163.152.184:23 -> 192.168.2.23:48396
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.163.152.184:23 -> 192.168.2.23:48396
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 38.18.160.116:23 -> 192.168.2.23:36578
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 38.18.160.116:23 -> 192.168.2.23:36578
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43178
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45530
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.171.193.102:23 -> 192.168.2.23:40804
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.171.193.102:23 -> 192.168.2.23:40804
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53224
Source: Traffic Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37186
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.39.94.196:23 -> 192.168.2.23:38888
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.39.94.196:23 -> 192.168.2.23:38888
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42216
Source: Traffic Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34424
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53224
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46792
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46792
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43210
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 41.85.220.35:23 -> 192.168.2.23:38308
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 41.85.220.35:23 -> 192.168.2.23:38308
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43572
Source: Traffic Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37022
Source: Traffic Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:56136
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.54.7.208:23 -> 192.168.2.23:48682
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42302
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53288
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34424
Source: Traffic Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37022
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45614
Source: Traffic Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43638
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53288
Source: Traffic Snort IDS: 716 INFO TELNET access 38.18.160.116:23 -> 192.168.2.23:36728
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:59832
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42302
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43268
Source: Traffic Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34582
Source: Traffic Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37154
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:59908
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45732
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53420
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 38.18.160.116:23 -> 192.168.2.23:36728
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 38.18.160.116:23 -> 192.168.2.23:36728
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42472
Source: Traffic Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35212
Source: Traffic Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37154
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.161.31.122:23 -> 192.168.2.23:59448
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.161.31.122:23 -> 192.168.2.23:59448
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53420
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:59980
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.171.193.102:23 -> 192.168.2.23:41026
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.171.193.102:23 -> 192.168.2.23:41026
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34582
Source: Traffic Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43450
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.39.94.196:23 -> 192.168.2.23:39106
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.39.94.196:23 -> 192.168.2.23:39106
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 41.85.220.35:23 -> 192.168.2.23:38556
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 41.85.220.35:23 -> 192.168.2.23:38556
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42472
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:47026
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:47026
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53538
Source: Traffic Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37296
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45858
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 92.207.147.166:23 -> 192.168.2.23:59790
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 92.207.147.166:23 -> 192.168.2.23:59790
Source: Traffic Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:57010
Source: Traffic Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37514
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60032
Source: Traffic Snort IDS: 492 INFO TELNET login failed 111.39.7.119:23 -> 192.168.2.23:40608
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53538
Source: Traffic Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34776
Source: Traffic Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35366
Source: Traffic Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42636
Source: Traffic Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37296
Source: Traffic Snort IDS: 716 INFO TELNET access 38.18.160.116:23 -> 192.168.2.23:37052
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60164
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45976
Source: Traffic Snort IDS: 716 INFO TELNET access 41.60.254.69:23 -> 192.168.2.23:56764
Source: Traffic Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53676
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:39472
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:39472
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42636
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60228
Source: Traffic Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37480
Source: Traffic Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34776
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 41.85.220.35:23 -> 192.168.2.23:38768
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 41.85.220.35:23 -> 192.168.2.23:38768
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 38.18.160.116:23 -> 192.168.2.23:37052
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 38.18.160.116:23 -> 192.168.2.23:37052
Source: Traffic Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53676
Source: Traffic Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35540
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:46106
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.28.118.143:23 -> 192.168.2.23:45722
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.28.118.143:23 -> 192.168.2.23:45722
Source: Traffic Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37760
Source: Traffic Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37480
Source: Traffic Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60294
Source: Traffic Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:35028
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 209.105.129.228:23 -> 192.168.2.23:41458
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 209.105.129.228:23 -> 192.168.2.23:41458
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 74.50.34.127:23 -> 192.168.2.23:43590
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 74.50.34.127:23 -> 192.168.2.23:43590
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.39.94.196:23 -> 192.168.2.23:39468
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.39.94.196:23 -> 192.168.2.23:39468
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.171.193.102:23 -> 192.168.2.23:41396
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.171.193.102:23 -> 192.168.2.23:41396
Source: Traffic Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:46192
Source: Traffic Snort IDS: 716 INFO TELNET access 85.91.114.142:23 -> 192.168.2.23:41148
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.113.68.13:23 -> 192.168.2.23:46374
Source: Traffic Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37642
Source: Traffic Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35654
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54754
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54762
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54768
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54778
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54786
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54816
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54826
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:54994 -> 95.213.159.92:1312
Sample listens on a socket
Source: /tmp/phantom.arm7 (PID: 5284) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) Socket: 0.0.0.0::0 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 95.213.159.92
Source: unknown TCP traffic detected without corresponding DNS query: 153.139.230.252
Source: unknown TCP traffic detected without corresponding DNS query: 123.221.151.252
Source: unknown TCP traffic detected without corresponding DNS query: 105.250.1.51
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 69.63.235.244
Source: unknown TCP traffic detected without corresponding DNS query: 202.38.222.54
Source: unknown TCP traffic detected without corresponding DNS query: 39.108.85.54
Source: unknown TCP traffic detected without corresponding DNS query: 170.230.146.167
Source: unknown TCP traffic detected without corresponding DNS query: 45.195.54.176
Source: unknown TCP traffic detected without corresponding DNS query: 66.78.43.66
Source: unknown TCP traffic detected without corresponding DNS query: 169.101.252.215
Source: unknown TCP traffic detected without corresponding DNS query: 166.18.223.23
Source: unknown TCP traffic detected without corresponding DNS query: 38.7.151.164
Source: unknown TCP traffic detected without corresponding DNS query: 39.11.214.28
Source: unknown TCP traffic detected without corresponding DNS query: 186.216.131.79
Source: unknown TCP traffic detected without corresponding DNS query: 5.109.28.108
Source: unknown TCP traffic detected without corresponding DNS query: 189.47.96.242
Source: unknown TCP traffic detected without corresponding DNS query: 118.105.139.155
Source: unknown TCP traffic detected without corresponding DNS query: 141.175.204.222
Source: unknown TCP traffic detected without corresponding DNS query: 173.165.57.26
Source: unknown TCP traffic detected without corresponding DNS query: 4.32.226.137
Source: unknown TCP traffic detected without corresponding DNS query: 204.152.235.229
Source: unknown TCP traffic detected without corresponding DNS query: 164.203.30.88
Source: unknown TCP traffic detected without corresponding DNS query: 83.232.165.61
Source: unknown TCP traffic detected without corresponding DNS query: 126.133.134.80
Source: unknown TCP traffic detected without corresponding DNS query: 40.50.99.115
Source: unknown TCP traffic detected without corresponding DNS query: 135.124.37.229
Source: unknown TCP traffic detected without corresponding DNS query: 173.38.214.85
Source: unknown TCP traffic detected without corresponding DNS query: 118.202.116.127
Source: unknown TCP traffic detected without corresponding DNS query: 155.121.127.209
Source: unknown TCP traffic detected without corresponding DNS query: 27.159.217.186
Source: unknown TCP traffic detected without corresponding DNS query: 212.173.94.145
Source: unknown TCP traffic detected without corresponding DNS query: 255.23.93.99
Source: unknown TCP traffic detected without corresponding DNS query: 71.248.61.114
Source: unknown TCP traffic detected without corresponding DNS query: 241.187.223.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.112.195.220
Source: unknown TCP traffic detected without corresponding DNS query: 151.101.222.80
Source: unknown TCP traffic detected without corresponding DNS query: 243.183.36.115
Source: unknown TCP traffic detected without corresponding DNS query: 247.5.12.197
Source: unknown TCP traffic detected without corresponding DNS query: 251.12.93.44
Source: unknown TCP traffic detected without corresponding DNS query: 159.56.97.232
Source: unknown TCP traffic detected without corresponding DNS query: 62.93.197.98
Source: unknown TCP traffic detected without corresponding DNS query: 252.148.241.146
Source: unknown TCP traffic detected without corresponding DNS query: 124.53.34.8
Source: unknown TCP traffic detected without corresponding DNS query: 164.125.64.26
Source: unknown TCP traffic detected without corresponding DNS query: 58.206.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 173.175.106.184
Source: unknown TCP traffic detected without corresponding DNS query: 16.220.22.35
Source: unknown TCP traffic detected without corresponding DNS query: 92.176.58.157
Source: phantom.arm7 String found in binary or memory: http://upx.sf.net
Source: motd-news.41.dr String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

barindex
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Yara signature match
Source: phantom.arm7, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Sample tries to kill a process (SIGKILL)
Source: /tmp/phantom.arm7 (PID: 5284) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.linARM7@0/4@0/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/491/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/793/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/772/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/796/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/774/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/797/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/777/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/799/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/658/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/912/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/759/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/936/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/918/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/1/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/761/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/785/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/884/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/720/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/721/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/788/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/789/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/800/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/801/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/847/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5284) File opened: /proc/904/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/491/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/793/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/772/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/796/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/774/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/797/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/777/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/799/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/658/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/912/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/759/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/936/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/918/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/1/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/761/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/785/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/884/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/720/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/721/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/788/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/789/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/800/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/801/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/847/fd Jump to behavior
Source: /tmp/phantom.arm7 (PID: 5290) File opened: /proc/904/fd Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/invoke-rc.d (PID: 5223) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 5225) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5230) Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/sbin/logrotate (PID: 5220) Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " Jump to behavior
Source: /usr/sbin/logrotate (PID: 5227) Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5247) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Qx6sCqhUAx /tmp/tmp.ChPykC47j2 /tmp/tmp.PTIO2VlqDw Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54754
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54762
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54768
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54778
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54786
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54798
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54806
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54816
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54826

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/phantom.arm7 (PID: 5282) Queries kernel information via 'uname': Jump to behavior
Deletes log files
Source: /usr/sbin/logrotate (PID: 5177) Truncated file: /var/log/syslog.1 Jump to behavior
Source: phantom.arm7, 5282.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5284.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5384.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5397.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5389.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5285.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5380.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5291.1.00000000be09fe06.0000000093de9c13.rw-.sdmp Binary or memory string: 6V!/etc/qemu-binfmt/arm
Source: phantom.arm7, 5282.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5284.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5384.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5397.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5389.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5285.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5380.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5291.1.00000000be09fe06.0000000093de9c13.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: phantom.arm7, 5282.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5284.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5384.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5397.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5389.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5285.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5380.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5291.1.000000002227e047.00000000093dc27a.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: phantom.arm7, 5282.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5284.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5384.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5397.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5389.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5285.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5380.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5291.1.000000002227e047.00000000093dc27a.rw-.sdmp Binary or memory string: *4x86_64/usr/bin/qemu-arm/tmp/phantom.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/phantom.arm7

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs