Source: zXL7Uv8mEG | Virustotal: Detection: 37% | Perma Link |
Source: zXL7Uv8mEG | ReversingLabs: Detection: 34% |
Source: zXL7Uv8mEG | String found in binary or memory: http://upx.sf.net |
Source: LOAD without section mappings | Program segment: 0x8000 |
Source: zXL7Uv8mEG, type: SAMPLE | Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4 |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | SIGKILL sent: pid: 936, result: successful | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | SIGKILL sent: pid: 936, result: successful | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5287) | SIGKILL sent: pid: 5285, result: successful | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5326) | SIGKILL sent: pid: 5324, result: successful | Jump to behavior |
Source: classification engine | Classification label: mal52.evad.lin@0/0@0/0 |
Source: initial sample | String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample | String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample | String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $ |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/491/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/793/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/772/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/796/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/774/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/797/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/777/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/799/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/658/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/912/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/759/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/936/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/918/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/1/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/761/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/785/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/884/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/720/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/721/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/788/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/789/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/800/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/801/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/847/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5262) | File opened: /proc/904/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/491/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/793/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/772/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/796/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/774/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/797/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/777/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/799/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/658/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/912/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/759/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/936/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/918/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/1/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/761/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/785/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/884/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/720/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/721/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/788/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/789/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/800/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/801/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/847/fd | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5268) | File opened: /proc/904/fd | Jump to behavior |
Source: /usr/bin/dash (PID: 5304) | Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.XeTLhZbQbn /tmp/tmp.Uma6QlImKT /tmp/tmp.AKJHFauVo4 | Jump to behavior |
Source: /tmp/zXL7Uv8mEG (PID: 5260) | Queries kernel information via 'uname': | Jump to behavior |
Source: zXL7Uv8mEG, 5260.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5262.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5383.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5399.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5391.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5263.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5382.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5270.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5285.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5287.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5324.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5326.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp | Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: zXL7Uv8mEG, 5260.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5262.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5383.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5399.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5391.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5263.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5382.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5270.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5285.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5287.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5324.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5326.1.000000001eb594be.00000000ff524bb7.rw-.sdmp | Binary or memory string: _x86_64/usr/bin/qemu-arm/tmp/zXL7Uv8mEGSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zXL7Uv8mEG |
Source: zXL7Uv8mEG, 5260.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5262.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5383.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5399.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5391.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5263.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5382.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5270.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5285.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5287.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5324.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp, zXL7Uv8mEG, 5326.1.00000000115f7a9c.00000000176ccf8d.rw-.sdmp | Binary or memory string: /etc/qemu-binfmt/arm |
Source: zXL7Uv8mEG, 5260.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5262.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5383.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5399.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5391.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5263.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5382.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5270.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5285.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5287.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5324.1.000000001eb594be.00000000ff524bb7.rw-.sdmp, zXL7Uv8mEG, 5326.1.000000001eb594be.00000000ff524bb7.rw-.sdmp | Binary or memory string: /usr/bin/qemu-arm |