Linux Analysis Report fVA3Q44QAK

Overview

General Information

Sample Name:	fVA3Q44QAK
Analysis ID:	553483
MD5:	cd6521521289846e8001d5f05cf0e10d
SHA1:	ecb03ba794a579a02ad8e0ef94b29ebed527a155
SHA256:	00a6f460395d2f545eba81ead528fcf2883582412affb7b052e7fef3478361c0
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: fVA3Q44QAK	Virustotal: Detection: 36%			Perma Link
Source: fVA3Q44QAK	ReversingLabs: Detection: 51%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52626
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52626
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52626
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52648
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52648
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59270
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:59270 -> 177.7.221.41:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52658
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52658
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52658
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59280
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59292
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41272
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41272
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52684
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52684
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41390
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41390
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52836
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.8.49.214:23 -> 192.168.2.23:34430
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52836
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52836
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41482
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52978
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44108
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52978
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52978
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41600
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41600
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44198
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53088
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41692
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41692
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53088
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53088
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44220
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53138
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41734
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41734
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53138
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44296
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 190.111.231.121: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41778
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41778
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53190
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:43966
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:43966
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53190
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53190
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44352
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41830
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41830
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44020
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44020
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41898 -> 178.219.113.60:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44426
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41898
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41898
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.198.210.199:23 -> 192.168.2.23:50898
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44100
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44100
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41944
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41944
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44132
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44132
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44482
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:34932
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54124
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:34932
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:34932
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44180
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44180
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54182
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35018
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44568
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44236
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44236
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.181.140.130:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35018
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35018
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44616
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54230
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44284
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46814
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35082
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54248
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44642
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46832
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46832
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44308
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35082
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35082
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46876
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54306
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46876
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44362
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44362
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:55824
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46982
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57130
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46982
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35228
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:55824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:55824
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54484
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47096
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.165.140.156:23 -> 192.168.2.23:42788
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44536
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44536
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47096
Source: Traffic	Snort IDS: 716 INFO TELNET access 106.240.171.6:23 -> 192.168.2.23:56382
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.112.121.182:23 -> 192.168.2.23:44974
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:56072
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57416
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47240
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35228
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35228
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47240
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57416
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:56072
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:56072
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57868
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57480
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47298
Source: Traffic	Snort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38630
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44084
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35580
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57874
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47298
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38630
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57480
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57948
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 211.160.177.2:23 -> 192.168.2.23:44084
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57962
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.163.72.218:23 -> 192.168.2.23:34104
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:56238
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58000
Source: Traffic	Snort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38750
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57612
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35580
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35580
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47428
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58024
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44208
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54860
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38750
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58040
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.163.72.218:23 -> 192.168.2.23:34178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:56238
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:56238
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47428
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58048
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57612
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 211.160.177.2:23 -> 192.168.2.23:44208
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58062
Source: Traffic	Snort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38816
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58078
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57712
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47524
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44294
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38816

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41240
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41258
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41306
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41330
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41340

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:39274 -> 34.249.145.219:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39274 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown	TCP traffic detected without corresponding DNS query: 86.114.208.209
Source: unknown	TCP traffic detected without corresponding DNS query: 243.174.106.35
Source: unknown	TCP traffic detected without corresponding DNS query: 67.49.248.210
Source: unknown	TCP traffic detected without corresponding DNS query: 16.114.55.95
Source: unknown	TCP traffic detected without corresponding DNS query: 197.22.95.112
Source: unknown	TCP traffic detected without corresponding DNS query: 35.102.24.95
Source: unknown	TCP traffic detected without corresponding DNS query: 126.36.123.32
Source: unknown	TCP traffic detected without corresponding DNS query: 116.151.253.46
Source: unknown	TCP traffic detected without corresponding DNS query: 194.173.176.105
Source: unknown	TCP traffic detected without corresponding DNS query: 130.193.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 103.222.112.39
Source: unknown	TCP traffic detected without corresponding DNS query: 181.22.75.4
Source: unknown	TCP traffic detected without corresponding DNS query: 124.97.161.209
Source: unknown	TCP traffic detected without corresponding DNS query: 39.108.62.151
Source: unknown	TCP traffic detected without corresponding DNS query: 168.109.209.2
Source: unknown	TCP traffic detected without corresponding DNS query: 75.119.233.6
Source: unknown	TCP traffic detected without corresponding DNS query: 82.61.135.125
Source: unknown	TCP traffic detected without corresponding DNS query: 147.228.81.150
Source: unknown	TCP traffic detected without corresponding DNS query: 193.130.162.15
Source: unknown	TCP traffic detected without corresponding DNS query: 151.221.106.243
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.76.153
Source: unknown	TCP traffic detected without corresponding DNS query: 243.232.160.119
Source: unknown	TCP traffic detected without corresponding DNS query: 202.25.239.217
Source: unknown	TCP traffic detected without corresponding DNS query: 63.242.170.205
Source: unknown	TCP traffic detected without corresponding DNS query: 58.17.227.90
Source: unknown	TCP traffic detected without corresponding DNS query: 251.104.219.53
Source: unknown	TCP traffic detected without corresponding DNS query: 255.21.84.13
Source: unknown	TCP traffic detected without corresponding DNS query: 9.97.192.97
Source: unknown	TCP traffic detected without corresponding DNS query: 63.127.95.221
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.239.87
Source: unknown	TCP traffic detected without corresponding DNS query: 194.50.7.65
Source: unknown	TCP traffic detected without corresponding DNS query: 172.155.57.146
Source: unknown	TCP traffic detected without corresponding DNS query: 92.232.14.56
Source: unknown	TCP traffic detected without corresponding DNS query: 119.167.39.218
Source: unknown	TCP traffic detected without corresponding DNS query: 200.237.13.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.135.153.56
Source: unknown	TCP traffic detected without corresponding DNS query: 155.245.80.45
Source: unknown	TCP traffic detected without corresponding DNS query: 170.170.202.40
Source: unknown	TCP traffic detected without corresponding DNS query: 133.95.172.234
Source: unknown	TCP traffic detected without corresponding DNS query: 75.48.59.107
Source: unknown	TCP traffic detected without corresponding DNS query: 73.39.38.124
Source: unknown	TCP traffic detected without corresponding DNS query: 255.1.109.214
Source: unknown	TCP traffic detected without corresponding DNS query: 123.46.224.16
Source: unknown	TCP traffic detected without corresponding DNS query: 78.140.215.45
Source: unknown	TCP traffic detected without corresponding DNS query: 4.77.72.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.138.112.226
Source: unknown	TCP traffic detected without corresponding DNS query: 41.66.188.103
Source: unknown	TCP traffic detected without corresponding DNS query: 221.206.147.174
Source: unknown	TCP traffic detected without corresponding DNS query: 61.141.254.232

Source: fVA3Q44QAK

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0xc01000

Sample tries to kill a process (SIGKILL)

Source: /tmp/fVA3Q44QAK (PID: 5219)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.lin@0/0@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/5222/exe	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/5219/exe	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/904/fd	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5264)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FZJy5QRkED /tmp/tmp.Cx4p8ienxO /tmp/tmp.ayYQw5P6KC

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41240
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41258
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41306
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41330
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41340

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
118.211.239.132	unknown	Australia	4739	INTERNODE-ASInternodePtyLtdAU	false
210.106.38.203	unknown	Korea Republic of	17839	DREAMPLUS-AS-KRLGHelloVisionCorpKR	false
242.236.222.254	unknown	Reserved	unknown	unknown	false
119.222.246.123	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
118.251.164.218	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
61.125.29.174	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	false
197.89.97.58	unknown	South Africa	10474	OPTINETZA	false
145.151.15.79	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
213.46.86.255	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
147.125.210.77	unknown	Austria	2488	IIASA-NETInternationalInstituteforAppliedSystemsAnalys	false
32.249.33.88	unknown	United States	2686	ATGS-MMD-ASUS	false
74.136.69.5	unknown	United States	10796	TWC-10796-MIDWESTUS	false
248.169.175.87	unknown	Reserved	unknown	unknown	false
27.197.55.18	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
213.52.109.228	unknown	Norway	2116	ASN-CATCHCOMNO	false
156.34.23.163	unknown	Canada	855	CANET-ASN-4CA	false
122.4.122.86	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
66.3.241.117	unknown	United States	2828	XO-AS15US	false
112.252.196.33	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
156.49.160.15	unknown	Sweden	29975	VODACOM-ZA	false
89.113.117.183	unknown	Russian Federation	44699	STROITELNAYA_INNOVACIARU	false
87.196.249.120	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
192.84.228.183	unknown	Hungary	1741	FUNETASFI	false
32.220.131.221	unknown	United States	46690	SNET-FCCUS	false
1.255.173.186	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
4.164.140.27	unknown	United States	3356	LEVEL3US	false
36.17.156.115	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
153.15.14.52	unknown	Norway	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
151.208.73.143	unknown	United States	11003	PANDGUS	false
61.191.66.240	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
42.66.128.89	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
206.32.17.122	unknown	United States	3356	LEVEL3US	false
113.82.60.114	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
48.5.47.35	unknown	United States	2686	ATGS-MMD-ASUS	false
122.131.61.127	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
196.142.51.78	unknown	Egypt	36935	Vodafone-EG	false
118.143.163.141	unknown	Hong Kong	9304	HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK	false
45.167.218.35	unknown	Brazil	268009	BELINFONETSERVICOSDECOMUNICACAOEMULTIMIDIAEBR	false
85.208.2.15	unknown	Finland	209378	INIOS-ASFI	false
150.210.115.42	unknown	United States	31822	CITY-UNIVERSITY-OF-NEW-YORKUS	false
80.107.7.150	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
253.91.52.203	unknown	Reserved	unknown	unknown	false
168.151.75.250	unknown	United States	204472	ROYALEASNDE	false
142.22.118.16	unknown	Canada	3633	PROVINCE-OF-BRITISH-COLUMBIACA	false
5.24.72.65	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
88.16.182.184	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
194.12.251.222	unknown	Bulgaria	8262	EVOLINK-ASBG	false
99.13.97.229	unknown	United States	7018	ATT-INTERNET4US	false
246.175.96.4	unknown	Reserved	unknown	unknown	false
147.75.13.99	unknown	Switzerland	35914	ARMOR-DEFENSEUS	false
191.30.36.92	unknown	Brazil	18881	TELEFONICABRASILSABR	false
65.144.152.0	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
155.200.239.157	unknown	United States	8698	NationwideBuildingSocietyGB	false
247.249.240.163	unknown	Reserved	unknown	unknown	false
167.181.16.213	unknown	United States	62481	SUNTRUST-BANKUS	false
14.116.97.246	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
14.255.164.60	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
153.85.227.119	unknown	United States	14962	NCR-252US	false
241.197.46.115	unknown	Reserved	unknown	unknown	false
253.193.91.235	unknown	Reserved	unknown	unknown	false
208.27.147.39	unknown	United States	36837	ASN-TELETRACUS	false
81.137.109.241	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
37.195.118.225	unknown	Russian Federation	31200	NTKIPv6customersRU	false
181.24.7.243	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
181.21.8.118	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
108.132.57.207	unknown	United States	16509	AMAZON-02US	false
149.131.43.106	unknown	United States	33022	WELLESLEY-COLLEGEUS	false
67.29.230.68	unknown	United States	202818	LEVEL3COMMUNICATIONSFR	false
96.178.243.163	unknown	United States	7922	COMCAST-7922US	false
250.124.165.154	unknown	Reserved	unknown	unknown	false
107.204.213.78	unknown	United States	7018	ATT-INTERNET4US	false
158.178.211.100	unknown	United Kingdom	15830	EQUINIX-CONNECT-EMEAGB	false
216.4.87.55	unknown	United States	2828	XO-AS15US	false
18.243.215.229	unknown	United States	16509	AMAZON-02US	false
12.239.5.98	unknown	United States	7018	ATT-INTERNET4US	false
194.216.31.188	unknown	United Kingdom	702	UUNETUS	false
116.96.79.11	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
74.192.181.152	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
2.149.14.35	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
105.120.247.64	unknown	Nigeria	36873	VNL1-ASNG	false
194.64.149.47	unknown	Germany	4589	EASYNETEasynetGlobalServicesEU	false
146.88.159.180	unknown	Malaysia	133847	ICT-AS-APAnppleTechEnterpriseMY	false
4.143.53.39	unknown	United States	3356	LEVEL3US	false
167.212.83.51	unknown	United States	33166	BFS-49-33166US	false
208.78.192.218	unknown	United States	11763	IBX-CHICAGOUS	false
85.219.218.240	unknown	Poland	205738	MARMITEPL	false
177.56.151.219	unknown	Brazil	22085	ClaroSABR	false
102.228.74.21	unknown	unknown	36926	CKL1-ASNKE	false
81.102.118.139	unknown	United Kingdom	5089	NTLGB	false
197.252.128.132	unknown	Sudan	15706	SudatelSD	false
60.186.225.153	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
184.7.217.32	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
169.132.160.131	unknown	United States	7270	NET2PHONEUS	false
42.164.86.69	unknown	China	4249	LILLY-ASUS	false
63.57.227.252	unknown	United States	701	UUNETUS	false
196.240.143.25	unknown	Seychelles	37518	FIBERGRIDSC	false
124.66.201.250	unknown	Japan	18281	TAC-NETTokonameNew-TVCorporationJP	false
205.221.42.4	unknown	United States	6122	ICN-ASUS	false
126.54.223.48	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
57.166.240.145	unknown	Belgium	2686	ATGS-MMD-ASUS	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: fVA3Q44QAK	Virustotal: Detection: 36%			Perma Link
Source: fVA3Q44QAK	ReversingLabs: Detection: 51%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52626
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52626
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52626
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52648
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52648
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59270
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:59270 -> 177.7.221.41:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52658
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52658
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52658
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59280
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59292
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41272
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41272
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52684
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52684
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41390
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41390
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52836
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.8.49.214:23 -> 192.168.2.23:34430
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52836
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52836
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41482
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52978
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44108
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52978
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52978
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41600
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41600
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44198
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53088
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41692
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41692
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53088
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53088
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44220
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53138
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41734
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41734
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53138
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53138
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44296
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 190.111.231.121: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41778
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41778
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53190
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:43966
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:43966
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53190
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53190
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44352
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41830
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41830
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44020
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44020
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41898 -> 178.219.113.60:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44426
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41898
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41898
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.198.210.199:23 -> 192.168.2.23:50898
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44100
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44100
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41944
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41944
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44132
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44132
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44482
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:34932
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54124
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:34932
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:34932
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44180
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44180
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54182
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35018
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44568
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44236
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44236
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.181.140.130:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35018
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35018
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44616
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54230
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44284
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46814
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35082
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54248
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44642
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46832
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46832
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44308
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35082
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35082
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46876
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54306
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46876
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57130
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44362
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44362
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:55824
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46982
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57130
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46982
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35228
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:55824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:55824
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54484
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47096
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.165.140.156:23 -> 192.168.2.23:42788
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44536
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44536
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47096
Source: Traffic	Snort IDS: 716 INFO TELNET access 106.240.171.6:23 -> 192.168.2.23:56382
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.112.121.182:23 -> 192.168.2.23:44974
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:56072
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57416
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47240
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35228
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35228
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47240
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57416
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:56072
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:56072
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57868
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57480
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47298
Source: Traffic	Snort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38630
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44084
Source: Traffic	Snort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35580
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57874
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47298
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38630
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57480
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57948
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 211.160.177.2:23 -> 192.168.2.23:44084
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57962
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.163.72.218:23 -> 192.168.2.23:34104
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:56238
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58000
Source: Traffic	Snort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38750
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57612
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35580
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35580
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47428
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58024
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44208
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54860
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38750
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58040
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.163.72.218:23 -> 192.168.2.23:34178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:56238
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:56238
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47428
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58048
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57612
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 211.160.177.2:23 -> 192.168.2.23:44208
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58062
Source: Traffic	Snort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38816
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58078
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57712
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47524
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44294
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38816

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41240
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41258
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41306
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41330
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41340

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:39274 -> 34.249.145.219:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39274 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown	TCP traffic detected without corresponding DNS query: 86.114.208.209
Source: unknown	TCP traffic detected without corresponding DNS query: 243.174.106.35
Source: unknown	TCP traffic detected without corresponding DNS query: 67.49.248.210
Source: unknown	TCP traffic detected without corresponding DNS query: 16.114.55.95
Source: unknown	TCP traffic detected without corresponding DNS query: 197.22.95.112
Source: unknown	TCP traffic detected without corresponding DNS query: 35.102.24.95
Source: unknown	TCP traffic detected without corresponding DNS query: 126.36.123.32
Source: unknown	TCP traffic detected without corresponding DNS query: 116.151.253.46
Source: unknown	TCP traffic detected without corresponding DNS query: 194.173.176.105
Source: unknown	TCP traffic detected without corresponding DNS query: 130.193.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 103.222.112.39
Source: unknown	TCP traffic detected without corresponding DNS query: 181.22.75.4
Source: unknown	TCP traffic detected without corresponding DNS query: 124.97.161.209
Source: unknown	TCP traffic detected without corresponding DNS query: 39.108.62.151
Source: unknown	TCP traffic detected without corresponding DNS query: 168.109.209.2
Source: unknown	TCP traffic detected without corresponding DNS query: 75.119.233.6
Source: unknown	TCP traffic detected without corresponding DNS query: 82.61.135.125
Source: unknown	TCP traffic detected without corresponding DNS query: 147.228.81.150
Source: unknown	TCP traffic detected without corresponding DNS query: 193.130.162.15
Source: unknown	TCP traffic detected without corresponding DNS query: 151.221.106.243
Source: unknown	TCP traffic detected without corresponding DNS query: 13.95.76.153
Source: unknown	TCP traffic detected without corresponding DNS query: 243.232.160.119
Source: unknown	TCP traffic detected without corresponding DNS query: 202.25.239.217
Source: unknown	TCP traffic detected without corresponding DNS query: 63.242.170.205
Source: unknown	TCP traffic detected without corresponding DNS query: 58.17.227.90
Source: unknown	TCP traffic detected without corresponding DNS query: 251.104.219.53
Source: unknown	TCP traffic detected without corresponding DNS query: 255.21.84.13
Source: unknown	TCP traffic detected without corresponding DNS query: 9.97.192.97
Source: unknown	TCP traffic detected without corresponding DNS query: 63.127.95.221
Source: unknown	TCP traffic detected without corresponding DNS query: 128.31.239.87
Source: unknown	TCP traffic detected without corresponding DNS query: 194.50.7.65
Source: unknown	TCP traffic detected without corresponding DNS query: 172.155.57.146
Source: unknown	TCP traffic detected without corresponding DNS query: 92.232.14.56
Source: unknown	TCP traffic detected without corresponding DNS query: 119.167.39.218
Source: unknown	TCP traffic detected without corresponding DNS query: 200.237.13.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.135.153.56
Source: unknown	TCP traffic detected without corresponding DNS query: 155.245.80.45
Source: unknown	TCP traffic detected without corresponding DNS query: 170.170.202.40
Source: unknown	TCP traffic detected without corresponding DNS query: 133.95.172.234
Source: unknown	TCP traffic detected without corresponding DNS query: 75.48.59.107
Source: unknown	TCP traffic detected without corresponding DNS query: 73.39.38.124
Source: unknown	TCP traffic detected without corresponding DNS query: 255.1.109.214
Source: unknown	TCP traffic detected without corresponding DNS query: 123.46.224.16
Source: unknown	TCP traffic detected without corresponding DNS query: 78.140.215.45
Source: unknown	TCP traffic detected without corresponding DNS query: 4.77.72.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.138.112.226
Source: unknown	TCP traffic detected without corresponding DNS query: 41.66.188.103
Source: unknown	TCP traffic detected without corresponding DNS query: 221.206.147.174
Source: unknown	TCP traffic detected without corresponding DNS query: 61.141.254.232

Source: fVA3Q44QAK

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0xc01000

Sample tries to kill a process (SIGKILL)

Source: /tmp/fVA3Q44QAK (PID: 5219)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.lin@0/0@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/5222/exe	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5222)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/5219/exe	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/fVA3Q44QAK (PID: 5219)	File opened: /proc/904/fd	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5264)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FZJy5QRkED /tmp/tmp.Cx4p8ienxO /tmp/tmp.ayYQw5P6KC

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41240
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41248
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41258
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41306
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41330
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41340

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	553483
Product:	CloudBasic
Start time:	01:01:50
Start date:	15.01.2022
Sample:	fVA3Q44QAK
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	cd6521521289846e8001d5f05cf0e10d
SHA1:	ecb03ba794a579a02ad8e0ef94b29ebed527a155
SHA256:	00a6f460395d2f545eba81ead528fcf2883582412affb7b052e7fef3478361c0
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report fVA3Q44QAK

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs