Linux Analysis Report phantom.x86

Overview

General Information

Sample Name: phantom.x86
Analysis ID: 553477
MD5: 8bb140fe0754eee2498279f9f1830368
SHA1: 0146917808c967dd97899cd5259de170b67af87b
SHA256: 217a622a111c0d13237c660259617cb1e31943d74a1767a933ddee8ae0b445ac
Tags: Mirai
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "systemctl" command used for controlling the systemd system and service manager
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: phantom.x86 Virustotal: Detection: 37% Perma Link
Source: phantom.x86 ReversingLabs: Detection: 51%

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33648
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36286
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36286
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33704
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36312
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36312
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33722
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41818
Source: Traffic Snort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:41548
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36410
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36410
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41848
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33818
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41912
Source: Traffic Snort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:60834
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33874
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36490
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36490
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59728
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41986
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59740
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33934
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42002
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59758
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36572
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36572
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59764
Source: Traffic Snort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:41728
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33962
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59780
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42024
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59790
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36616
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36616
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33372
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33372
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42044
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33994
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59804
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 216.67.33.87:23 -> 192.168.2.23:59238
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 216.67.33.87:23 -> 192.168.2.23:59238
Source: Traffic Snort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:60976
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59826
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42076
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:34022
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42090
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59844
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33436
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33436
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36662
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36662
Source: Traffic Snort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59864
Source: Traffic Snort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:34068
Source: Traffic Snort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42130
Source: Traffic Snort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:41850
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33488
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33488
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36714
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36714
Source: Traffic Snort IDS: 716 INFO TELNET access 200.148.130.171:23 -> 192.168.2.23:36328
Source: Traffic Snort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:32906
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33542
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33542
Source: Traffic Snort IDS: 716 INFO TELNET access 41.159.150.5:23 -> 192.168.2.23:46088
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36774
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36774
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46018
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 216.67.33.87:23 -> 192.168.2.23:59422
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 216.67.33.87:23 -> 192.168.2.23:59422
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46046
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33614
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33614
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36852
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36852
Source: Traffic Snort IDS: 492 INFO TELNET login failed 59.10.149.168:23 -> 192.168.2.23:36846
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46080
Source: Traffic Snort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:42032
Source: Traffic Snort IDS: 716 INFO TELNET access 197.210.191.131:23 -> 192.168.2.23:36928
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46118
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33700
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33700
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46134
Source: Traffic Snort IDS: 716 INFO TELNET access 200.148.130.171:23 -> 192.168.2.23:36512
Source: Traffic Snort IDS: 492 INFO TELNET login failed 187.144.43.161:23 -> 192.168.2.23:45308
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:36954 -> 59.10.149.168:23
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46146
Source: Traffic Snort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:33070
Source: Traffic Snort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46162
Source: Traffic Snort IDS: 492 INFO TELNET login failed 59.10.149.168:23 -> 192.168.2.23:36954
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33732
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33732
Source: Traffic Snort IDS: 716 INFO TELNET access 191.243.8.246:23 -> 192.168.2.23:54074
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 216.67.33.87:23 -> 192.168.2.23:59650
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 216.67.33.87:23 -> 192.168.2.23:59650
Source: Traffic Snort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:41810
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33824
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33824
Source: Traffic Snort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:42266
Source: Traffic Snort IDS: 716 INFO TELNET access 197.210.191.131:23 -> 192.168.2.23:37156
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55340
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55340
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:37128 -> 59.10.149.168:23
Source: Traffic Snort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:41810
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55378
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55378
Source: Traffic Snort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:41886
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 79.127.103.72:23 -> 192.168.2.23:42702
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 79.127.103.72:23 -> 192.168.2.23:42702
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 72.71.147.108:23 -> 192.168.2.23:37168
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 72.71.147.108:23 -> 192.168.2.23:37168
Source: Traffic Snort IDS: 492 INFO TELNET login failed 59.10.149.168:23 -> 192.168.2.23:37128
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55432
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55432
Source: Traffic Snort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:41886
Source: Traffic Snort IDS: 716 INFO TELNET access 200.148.130.171:23 -> 192.168.2.23:36826
Source: Traffic Snort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:42030
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55500
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55500
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:34020
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:34020
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41652
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41668
Source: Traffic Snort IDS: 716 INFO TELNET access 113.66.237.187:23 -> 192.168.2.23:49080
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.237.89.162:23 -> 192.168.2.23:53210
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.237.89.162:23 -> 192.168.2.23:53210
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41680
Source: Traffic Snort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:44858
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55572
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55572
Source: Traffic Snort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:42030
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41706
Source: Traffic Snort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:33490
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.39.191.244:23 -> 192.168.2.23:39110
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.39.191.244:23 -> 192.168.2.23:39110
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 79.127.103.72:23 -> 192.168.2.23:42916
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 79.127.103.72:23 -> 192.168.2.23:42916
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41748
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 113.66.237.187:23 -> 192.168.2.23:49080
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 113.66.237.187:23 -> 192.168.2.23:49080
Source: Traffic Snort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:44936
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41762
Source: Traffic Snort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:42158
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55634
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55634
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41774
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41784
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41796
Source: Traffic Snort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:44978
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 118.45.164.195:23 -> 192.168.2.23:52726
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 118.45.164.195:23 -> 192.168.2.23:52726
Source: Traffic Snort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41808
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55702
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55702
Source: Traffic Snort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:42158
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:34224
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:34224
Source: Traffic Snort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:45024
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 89.237.89.162:23 -> 192.168.2.23:53378
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 89.237.89.162:23 -> 192.168.2.23:53378
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55748
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55748
Source: Traffic Snort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:42254
Source: Traffic Snort IDS: 716 INFO TELNET access 113.66.237.187:23 -> 192.168.2.23:49284
Source: Traffic Snort IDS: 716 INFO TELNET access 191.243.8.246:23 -> 192.168.2.23:54588
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 79.127.103.72:23 -> 192.168.2.23:43102
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 79.127.103.72:23 -> 192.168.2.23:43102
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 14.39.191.244:23 -> 192.168.2.23:39306
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 14.39.191.244:23 -> 192.168.2.23:39306
Source: Traffic Snort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:42254
Source: Traffic Snort IDS: 716 INFO TELNET access 197.210.191.131:23 -> 192.168.2.23:37636
Source: Traffic Snort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:45086
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 93.172.166.38:23 -> 192.168.2.23:56366
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 93.172.166.38:23 -> 192.168.2.23:56366
Source: Traffic Snort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:42746
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 113.66.237.187:23 -> 192.168.2.23:49284
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 113.66.237.187:23 -> 192.168.2.23:49284
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 213.149.123.81:23 -> 192.168.2.23:34336
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34044
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34048
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34058
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34064
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34074
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34094
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34098
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34102
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:54994 -> 95.213.159.92:1312
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 95.213.159.92
Source: unknown TCP traffic detected without corresponding DNS query: 133.41.242.62
Source: unknown TCP traffic detected without corresponding DNS query: 211.2.183.44
Source: unknown TCP traffic detected without corresponding DNS query: 130.19.79.54
Source: unknown TCP traffic detected without corresponding DNS query: 178.157.137.244
Source: unknown TCP traffic detected without corresponding DNS query: 109.6.57.138
Source: unknown TCP traffic detected without corresponding DNS query: 161.136.130.199
Source: unknown TCP traffic detected without corresponding DNS query: 70.189.11.197
Source: unknown TCP traffic detected without corresponding DNS query: 133.164.155.201
Source: unknown TCP traffic detected without corresponding DNS query: 123.75.64.84
Source: unknown TCP traffic detected without corresponding DNS query: 242.255.207.250
Source: unknown TCP traffic detected without corresponding DNS query: 112.86.85.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.125.132.57
Source: unknown TCP traffic detected without corresponding DNS query: 109.58.109.73
Source: unknown TCP traffic detected without corresponding DNS query: 251.189.190.129
Source: unknown TCP traffic detected without corresponding DNS query: 70.227.78.220
Source: unknown TCP traffic detected without corresponding DNS query: 123.24.171.214
Source: unknown TCP traffic detected without corresponding DNS query: 39.181.51.72
Source: unknown TCP traffic detected without corresponding DNS query: 4.124.98.139
Source: unknown TCP traffic detected without corresponding DNS query: 97.136.138.58
Source: unknown TCP traffic detected without corresponding DNS query: 166.134.98.188
Source: unknown TCP traffic detected without corresponding DNS query: 38.114.98.113
Source: unknown TCP traffic detected without corresponding DNS query: 164.117.227.220
Source: unknown TCP traffic detected without corresponding DNS query: 95.70.106.36
Source: unknown TCP traffic detected without corresponding DNS query: 181.224.98.63
Source: unknown TCP traffic detected without corresponding DNS query: 19.142.231.219
Source: unknown TCP traffic detected without corresponding DNS query: 151.98.199.101
Source: unknown TCP traffic detected without corresponding DNS query: 202.221.208.62
Source: unknown TCP traffic detected without corresponding DNS query: 218.97.170.240
Source: unknown TCP traffic detected without corresponding DNS query: 108.143.98.38
Source: unknown TCP traffic detected without corresponding DNS query: 120.12.192.129
Source: unknown TCP traffic detected without corresponding DNS query: 208.187.121.164
Source: unknown TCP traffic detected without corresponding DNS query: 155.52.144.229
Source: unknown TCP traffic detected without corresponding DNS query: 34.233.85.250
Source: unknown TCP traffic detected without corresponding DNS query: 182.181.130.122
Source: unknown TCP traffic detected without corresponding DNS query: 53.96.142.168
Source: unknown TCP traffic detected without corresponding DNS query: 46.245.250.75
Source: unknown TCP traffic detected without corresponding DNS query: 186.83.155.129
Source: unknown TCP traffic detected without corresponding DNS query: 194.17.138.51
Source: unknown TCP traffic detected without corresponding DNS query: 65.142.208.101
Source: unknown TCP traffic detected without corresponding DNS query: 13.233.191.221
Source: unknown TCP traffic detected without corresponding DNS query: 5.195.74.110
Source: unknown TCP traffic detected without corresponding DNS query: 201.229.100.155
Source: unknown TCP traffic detected without corresponding DNS query: 128.1.73.198
Source: unknown TCP traffic detected without corresponding DNS query: 96.66.28.90
Source: unknown TCP traffic detected without corresponding DNS query: 153.121.164.50
Source: unknown TCP traffic detected without corresponding DNS query: 156.53.58.171
Source: unknown TCP traffic detected without corresponding DNS query: 162.39.54.83
Source: unknown TCP traffic detected without corresponding DNS query: 1.29.111.224
Source: unknown TCP traffic detected without corresponding DNS query: 141.140.40.36
Source: phantom.x86 String found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0xc01000
Sample tries to kill a process (SIGKILL)
Source: /tmp/phantom.x86 (PID: 5279) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.linX86@0/53@0/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/491/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/793/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/772/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/796/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/774/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/797/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/777/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/799/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/658/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/912/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/759/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/936/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/918/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/5279/exe Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/1/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/761/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/785/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/884/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/720/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/721/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/788/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/789/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/800/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/801/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/847/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5279) File opened: /proc/904/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/491/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/5282/exe Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/793/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/772/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/796/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/774/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/797/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/777/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/799/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/658/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/912/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/759/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/936/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/918/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/1/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/761/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/785/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/884/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/720/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/721/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/788/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/789/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/800/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/801/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/847/fd Jump to behavior
Source: /tmp/phantom.x86 (PID: 5282) File opened: /proc/904/fd Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/sbin/logrotate (PID: 5236) Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " Jump to behavior
Source: /usr/sbin/logrotate (PID: 5245) Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/invoke-rc.d (PID: 5239) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 5243) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5247) Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34044
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34048
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34058
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34064
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34074
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34094
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34098
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34102

Malware Analysis System Evasion:

barindex
Deletes log files
Source: /usr/sbin/logrotate (PID: 5192) Truncated file: /var/log/cups/access_log.1 Jump to behavior
Source: /usr/sbin/logrotate (PID: 5192) Truncated file: /var/log/syslog.1 Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/find (PID: 5232) Queries kernel information via 'uname': Jump to behavior
Source: 5240.20.dr Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5240.20.dr Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5240.20.dr Binary or memory string: qemu-or1k
Source: 5240.20.dr Binary or memory string: qemu-riscv64
Source: 5240.20.dr Binary or memory string: {cqemu
Source: 5240.20.dr Binary or memory string: qemu-arm
Source: 5240.20.dr Binary or memory string: (qemu
Source: 5240.20.dr Binary or memory string: qemu-tilegx
Source: 5240.20.dr Binary or memory string: qemu-hppa
Source: 5240.20.dr Binary or memory string: q{rqemu%
Source: 5240.20.dr Binary or memory string: )qemu
Source: 5240.20.dr Binary or memory string: vmware-toolbox-cmd
Source: 5240.20.dr Binary or memory string: qemu-ppc
Source: 5240.20.dr Binary or memory string: Tqemu9
Source: 5240.20.dr Binary or memory string: qemu-aarch64_be
Source: 5240.20.dr Binary or memory string: 0qemu9
Source: 5240.20.dr Binary or memory string: qemu-sparc64
Source: 5240.20.dr Binary or memory string: qemu-mips64
Source: 5240.20.dr Binary or memory string: vV:qemu9
Source: 5240.20.dr Binary or memory string: qemu-ppc64le
Source: 5240.20.dr Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5240.20.dr Binary or memory string: vmware
Source: 5240.20.dr Binary or memory string: qemu-cris
Source: 5240.20.dr Binary or memory string: libvmtools
Source: 5240.20.dr Binary or memory string: qemu-m68k
Source: 5240.20.dr Binary or memory string: qemu-xtensa
Source: 5240.20.dr Binary or memory string: 9qemu
Source: 5240.20.dr Binary or memory string: qemu-sh4
Source: 5240.20.dr Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: 5240.20.dr Binary or memory string: .qemu{
Source: 5240.20.dr Binary or memory string: qemu-ppc64abi32
Source: 5240.20.dr Binary or memory string: qemu-ppc64
Source: 5240.20.dr Binary or memory string: qemu-i386
Source: 5240.20.dr Binary or memory string: qemu-x86_64
Source: 5240.20.dr Binary or memory string: H~6\nqemu*q
Source: 5240.20.dr Binary or memory string: @qemu
Source: 5240.20.dr Binary or memory string: Fqqemu
Source: 5240.20.dr Binary or memory string: N4qemu
Source: 5240.20.dr Binary or memory string: ~6\nqemu*q
Source: 5240.20.dr Binary or memory string: qemu-mips64el
Source: 5240.20.dr Binary or memory string: hqemu
Source: 5240.20.dr Binary or memory string: &mqemu
Source: 5240.20.dr Binary or memory string: $qemu
Source: 5240.20.dr Binary or memory string: qemu-sparc
Source: 5240.20.dr Binary or memory string: qemu-microblaze
Source: 5240.20.dr Binary or memory string: qemu-user
Source: 5240.20.dr Binary or memory string: qemu-aarch64
Source: 5240.20.dr Binary or memory string: qemu-sh4eb
Source: 5240.20.dr Binary or memory string: iqemu
Source: 5240.20.dr Binary or memory string: qemu-mipsel
Source: 5240.20.dr Binary or memory string: qemuP`
Source: 5240.20.dr Binary or memory string: qemu-alpha
Source: 5240.20.dr Binary or memory string: qemu-microblazeel
Source: 5240.20.dr Binary or memory string: \qemu
Source: 5240.20.dr Binary or memory string: qemu-xtensaeb
Source: 5240.20.dr Binary or memory string: qemu-mipsn32el
Source: 5240.20.dr Binary or memory string: SAqemu
Source: 5240.20.dr Binary or memory string: Vqemu
Source: 5240.20.dr Binary or memory string: qemu-mipsn32
Source: 5240.20.dr Binary or memory string: qemuAU
Source: 5240.20.dr Binary or memory string: qemu-riscv32
Source: 5240.20.dr Binary or memory string: qemu-sparc32plus
Source: 5240.20.dr Binary or memory string: 7,qemu
Source: 5240.20.dr Binary or memory string: qemu-s390x
Source: 5240.20.dr Binary or memory string: vmware-checkvm
Source: 5240.20.dr Binary or memory string: qemu-nios2
Source: 5240.20.dr Binary or memory string: qemu-armeb
Source: 5240.20.dr Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5240.20.dr Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5240.20.dr Binary or memory string: I_qemu
Source: 5240.20.dr Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5240.20.dr Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5240.20.dr Binary or memory string: qemu-mips
Source: 5240.20.dr Binary or memory string: qemuj\
Source: 5240.20.dr Binary or memory string: {qemuQ&
Source: 5240.20.dr Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5240.20.dr Binary or memory string: vmware-xferlogs

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
161.46.153.9
 unknown United States
1252 UNMC-ASUS false
138.214.135.26
 unknown Canada
59121 AKNWS-NETAsahiKaseiNetworksCorporationJP false
191.181.205.173
 unknown Brazil
28573 CLAROSABR false
186.180.66.200
 unknown Colombia
27831 ColombiaMovilCO false
35.218.99.155
 unknown United States
19527 GOOGLE-2US false
174.223.172.50
 unknown United States
22394 CELLCOUS false
92.14.197.230
 unknown United Kingdom
13285 OPALTELECOM-ASTalkTalkCommunicationsLimitedGB false
203.183.154.92
 unknown Japan 4725 ODNSoftBankMobileCorpJP false
63.190.130.133
 unknown United States
1239 SPRINTLINKUS false
155.106.187.197
 unknown United States
7018 ATT-INTERNET4US false
168.165.75.76
 unknown Mexico
37179 AFRICAINXZA false
200.133.204.145
 unknown Brazil
1916 AssociacaoRedeNacionaldeEnsinoePesquisaBR false
247.16.190.72
 unknown Reserved
unknown unknown false
44.148.157.125
 unknown United States
62383 LDS-ASBE false
146.24.28.224
 unknown United States
197938 TRAVIANGAMESDE false
73.45.72.12
 unknown United States
7922 COMCAST-7922US false
62.215.147.93
 unknown Kuwait
21050 FAST-TELCOKW false
111.197.113.115
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
209.253.15.54
 unknown United States
7029 WINDSTREAMUS false
248.250.22.44
 unknown Reserved
unknown unknown false
250.135.211.1
 unknown Reserved
unknown unknown false
58.6.174.54
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
130.227.167.221
 unknown Denmark
9158 TELENOR_DANMARK_ASDK false
167.100.152.214
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
185.57.37.64
 unknown United Kingdom
202206 MOTIVEGB false
70.153.237.61
 unknown United States
6389 BELLSOUTH-NET-BLKUS false
181.7.145.113
 unknown Argentina
7303 TelecomArgentinaSAAR false
185.255.158.224
 unknown Denmark
60111 ASOM-NETDK false
35.15.136.181
 unknown United States
36375 UMICH-AS-5US false
155.28.153.184
 unknown United States
1556 DNIC-ASBLK-01550-01601US false
254.164.185.124
 unknown Reserved
unknown unknown false
20.79.32.82
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
190.141.21.40
 unknown Panama
18809 CableOndaPA false
60.168.40.14
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
27.229.140.235
 unknown Japan 9605 DOCOMONTTDOCOMOINCJP false
136.255.15.129
 unknown Romania
12302 VODAFONE_ROCharlesdeGaullenr15RO false
162.79.89.113
 unknown United States
4152 USDA-1US false
221.64.244.54
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
36.33.212.92
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
80.36.57.53
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
213.161.228.235
 unknown Norway
15765 MIMERNO false
42.119.44.71
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo false
96.132.29.69
 unknown United States
7922 COMCAST-7922US false
221.20.125.203
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
241.254.232.178
 unknown Reserved
unknown unknown false
210.48.235.19
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
195.129.27.188
 unknown European Union
702 UUNETUS false
160.75.166.103
 unknown Turkey
9095 IstanbulTeknikUniversitesiTR false
193.194.39.59
 unknown Morocco
6713 IAM-ASMA false
200.176.169.253
 unknown Brazil
22548 NucleodeInfeCoorddoPontoBR-NICBR false
187.252.127.109
 unknown Mexico
28509 CablemasTelecomunicacionesSAdeCVMX false
185.11.6.125
 unknown Russian Federation
15493 RUSCOMP-ASRussiancompanyLLCInternetServiceProviderT false
157.227.65.58
 unknown Australia
4704 SANNETRakutenMobileIncJP false
76.43.0.141
 unknown United States
18494 CENTURYLINK-LEGACY-EMBARQ-WRBGUS false
157.139.187.2
 unknown United States
20252 JSIWMCUS false
80.142.180.154
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
48.11.58.244
 unknown United States
2686 ATGS-MMD-ASUS false
63.155.197.20
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
253.72.75.120
 unknown Reserved
unknown unknown false
116.72.42.120
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN false
151.219.242.134
 unknown unknown
11003 PANDGUS false
133.118.92.141
 unknown Japan 2522 PPP-EXPJapanNetworkInformationCenterJP false
169.228.186.243
 unknown United States
7377 UCSDUS false
179.132.161.105
 unknown Brazil
26599 TELEFONICABRASILSABR false
76.114.145.159
 unknown United States
7922 COMCAST-7922US false
255.67.241.130
 unknown Reserved
unknown unknown false
117.196.164.125
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN false
217.60.218.162
 unknown Iran (ISLAMIC Republic Of)
31549 RASANAIR false
96.144.25.21
 unknown United States
7922 COMCAST-7922US false
37.135.6.37
 unknown Spain
12479 UNI2-ASES false
82.124.221.121
 unknown France
3215 FranceTelecom-OrangeFR false
19.157.11.236
 unknown United States
3 MIT-GATEWAYSUS false
57.137.251.6
 unknown Belgium
2686 ATGS-MMD-ASUS false
223.52.70.237
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
174.103.238.15
 unknown United States
10796 TWC-10796-MIDWESTUS false
154.90.25.153
 unknown Seychelles
26484 IKGUL-26484US false
116.87.137.130
 unknown Singapore
55430 STARHUB-NGNBNStarhubLtdSG false
209.18.212.249
 unknown United States
5006 VOYANTUS false
210.89.203.17
 unknown Japan 7671 MCNETNTTSmartConnectCorporationJP false
8.127.239.179
 unknown United States
3356 LEVEL3US false
43.24.206.124
 unknown Japan 4249 LILLY-ASUS false
114.142.142.198
 unknown India
4721 JCNJupiterTelecommunicationsCoLtdJP false
53.49.50.138
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
46.154.181.7
 unknown Turkey
15897 VODAFONETURKEYTR false
182.89.214.65
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
165.77.232.33
 unknown United States
4725 ODNSoftBankMobileCorpJP false
37.157.93.73
 unknown Estonia
3249 ESTPAKEE false
106.31.231.3
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
182.137.131.110
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
208.63.21.65
 unknown United States
6389 BELLSOUTH-NET-BLKUS false
162.149.162.149
 unknown United States
7922 COMCAST-7922US false
12.134.143.230
 unknown United States
7018 ATT-INTERNET4US false
75.8.57.219
 unknown United States
7018 ATT-INTERNET4US false
42.75.76.247
 unknown Taiwan; Republic of China (ROC)
17421 EMOME-NETMobileBusinessGroupTW false
83.137.220.4
 unknown Russian Federation
12739 NETLINE_ASRU false
250.237.36.137
 unknown Reserved
unknown unknown false
78.222.94.138
 unknown France
12322 PROXADFR false
198.39.146.109
 unknown United States
11857 AEGONUSAUS false
251.237.41.157
 unknown Reserved
unknown unknown false
108.176.28.42
 unknown United States
12271 TWC-12271-NYCUS false