Linux Analysis Report 8p2APHSDxx

Overview

General Information

Sample Name: 8p2APHSDxx
Analysis ID: 553490
MD5: adcb553ec947029a484f9f4995ffbe0a
SHA1: b7c64b1604b6847888619ae3b2af85faa9ffa741
SHA256: 6631ba2378a01aade3a4f46cae3b80a33bbf06bae53412e27c72d23f1fcc9397
Tags: 32elfmipsmirai
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 8p2APHSDxx Virustotal: Detection: 26% Perma Link
Source: 8p2APHSDxx ReversingLabs: Detection: 34%

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43112
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 193.49.51.93:23 -> 192.168.2.23:47678
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 193.49.51.93:23 -> 192.168.2.23:47678
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35032
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35032
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35032
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43122
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:52934
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43134
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:52934
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:52934
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35062
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43150
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43164
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35062
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35062
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43174
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:52984
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43182
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:52984
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:52984
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35104
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43192
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35104
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35104
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43204
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53018
Source: Traffic Snort IDS: 716 INFO TELNET access 12.150.224.33:23 -> 192.168.2.23:43218
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 193.49.51.93:23 -> 192.168.2.23:47782
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 193.49.51.93:23 -> 192.168.2.23:47782
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53018
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53018
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35142
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:35994
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35142
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35142
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49224
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53080
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49254
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53080
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53080
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35228
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43502
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49286
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36086
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35228
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35228
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43512
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49302
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:54948
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43524
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:54948 -> 121.149.129.67:23
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53162
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43534
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43540
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.149.129.67:23 -> 192.168.2.23:54948
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.149.129.67:23 -> 192.168.2.23:54948
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43568
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49350
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53162
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53162
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43586
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36160
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35330
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43596
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43598
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49388
Source: Traffic Snort IDS: 716 INFO TELNET access 153.199.0.31:23 -> 192.168.2.23:43606
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35330
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35330
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53268
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 193.49.51.93:23 -> 192.168.2.23:48030
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 193.49.51.93:23 -> 192.168.2.23:48030
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36224
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53268
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53268
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35388
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:55074
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.149.129.67:23 -> 192.168.2.23:55074
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.149.129.67:23 -> 192.168.2.23:55074
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35388
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35388
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36278
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.7.145.171:23 -> 192.168.2.23:34442
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.7.145.171:23 -> 192.168.2.23:34442
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53348
Source: Traffic Snort IDS: 492 INFO TELNET login failed 1.70.180.100:23 -> 192.168.2.23:55684
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40466
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:55152
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53348
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53348
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40474
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35480
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40482
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40486
Source: Traffic Snort IDS: 492 INFO TELNET login failed 1.68.219.17:23 -> 192.168.2.23:48476
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.149.129.67:23 -> 192.168.2.23:55152
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.149.129.67:23 -> 192.168.2.23:55152
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40492
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35480
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35480
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40494
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40504
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36340
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53404
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40508
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40514
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:55206
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49566
Source: Traffic Snort IDS: 716 INFO TELNET access 95.83.1.208:23 -> 192.168.2.23:40534
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53404
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53404
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35578
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.149.129.67:23 -> 192.168.2.23:55206
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.149.129.67:23 -> 192.168.2.23:55206
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36404
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49622
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35578
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35578
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 193.49.51.93:23 -> 192.168.2.23:48262
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 193.49.51.93:23 -> 192.168.2.23:48262
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53506
Source: Traffic Snort IDS: 716 INFO TELNET access 122.139.217.188:23 -> 192.168.2.23:49666
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36460
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53506
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53506
Source: Traffic Snort IDS: 716 INFO TELNET access 202.109.201.113:23 -> 192.168.2.23:35668
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:55362
Source: Traffic Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:55362 -> 121.149.129.67:23
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 108.7.145.171:23 -> 192.168.2.23:34684
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 108.7.145.171:23 -> 192.168.2.23:34684
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 202.109.201.113:23 -> 192.168.2.23:35668
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 202.109.201.113:23 -> 192.168.2.23:35668
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.149.129.67:23 -> 192.168.2.23:55362
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.149.129.67:23 -> 192.168.2.23:55362
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36548
Source: Traffic Snort IDS: 716 INFO TELNET access 42.113.124.95:23 -> 192.168.2.23:53620
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 42.113.124.95:23 -> 192.168.2.23:53620
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 42.113.124.95:23 -> 192.168.2.23:53620
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:55466
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.31.169.91:23 -> 192.168.2.23:41906
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 121.149.129.67:23 -> 192.168.2.23:55466
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 121.149.129.67:23 -> 192.168.2.23:55466
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.31.169.91:23 -> 192.168.2.23:41976
Source: Traffic Snort IDS: 492 INFO TELNET login failed 183.240.140.130:23 -> 192.168.2.23:36698
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.31.169.91:23 -> 192.168.2.23:41994
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.31.169.91:23 -> 192.168.2.23:42002
Source: Traffic Snort IDS: 716 INFO TELNET access 121.149.129.67:23 -> 192.168.2.23:55564
Source: Traffic Snort IDS: 492 INFO TELNET login failed 112.31.169.91:23 -> 192.168.2.23:42014
Source: Traffic Snort IDS: 716 INFO TELNET access 116.118.110.94:23 -> 192.168.2.23:55146
Source: Traffic Snort IDS: 716 INFO TELNET access 116.118.110.94:23 -> 192.168.2.23:55148
Source: Traffic Snort IDS: 716 INFO TELNET access 116.118.110.94:23 -> 192.168.2.23:55170
Source: Traffic Snort IDS: 716 INFO TELNET access 116.118.110.94:23 -> 192.168.2.23:55182
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47118
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47126
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47130
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47134
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47142
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47146
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47148
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47152
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47144
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47154
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47158
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47162
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47174
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47220
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47230
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47186
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47244
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47250
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47252
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47256
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47258
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47264
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47266
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47270
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47278
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312
Sample listens on a socket
Source: /tmp/8p2APHSDxx (PID: 5221) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) Socket: 0.0.0.0::37215 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown TCP traffic detected without corresponding DNS query: 23.215.251.114
Source: unknown TCP traffic detected without corresponding DNS query: 180.38.139.112
Source: unknown TCP traffic detected without corresponding DNS query: 45.22.155.114
Source: unknown TCP traffic detected without corresponding DNS query: 99.106.1.55
Source: unknown TCP traffic detected without corresponding DNS query: 156.161.219.173
Source: unknown TCP traffic detected without corresponding DNS query: 175.83.204.5
Source: unknown TCP traffic detected without corresponding DNS query: 68.204.191.191
Source: unknown TCP traffic detected without corresponding DNS query: 203.62.13.242
Source: unknown TCP traffic detected without corresponding DNS query: 109.7.113.76
Source: unknown TCP traffic detected without corresponding DNS query: 216.203.156.167
Source: unknown TCP traffic detected without corresponding DNS query: 146.70.249.124
Source: unknown TCP traffic detected without corresponding DNS query: 154.57.234.53
Source: unknown TCP traffic detected without corresponding DNS query: 148.151.236.100
Source: unknown TCP traffic detected without corresponding DNS query: 108.3.59.205
Source: unknown TCP traffic detected without corresponding DNS query: 146.5.205.155
Source: unknown TCP traffic detected without corresponding DNS query: 77.249.97.64
Source: unknown TCP traffic detected without corresponding DNS query: 206.129.125.255
Source: unknown TCP traffic detected without corresponding DNS query: 253.124.207.96
Source: unknown TCP traffic detected without corresponding DNS query: 37.233.17.0
Source: unknown TCP traffic detected without corresponding DNS query: 67.13.98.110
Source: unknown TCP traffic detected without corresponding DNS query: 14.116.23.121
Source: unknown TCP traffic detected without corresponding DNS query: 109.100.52.255
Source: unknown TCP traffic detected without corresponding DNS query: 62.163.156.160
Source: unknown TCP traffic detected without corresponding DNS query: 223.2.68.238
Source: unknown TCP traffic detected without corresponding DNS query: 124.17.113.94
Source: unknown TCP traffic detected without corresponding DNS query: 196.131.154.187
Source: unknown TCP traffic detected without corresponding DNS query: 247.156.224.167
Source: unknown TCP traffic detected without corresponding DNS query: 58.68.75.17
Source: unknown TCP traffic detected without corresponding DNS query: 194.20.212.58
Source: unknown TCP traffic detected without corresponding DNS query: 118.5.76.12
Source: unknown TCP traffic detected without corresponding DNS query: 90.253.237.142
Source: unknown TCP traffic detected without corresponding DNS query: 119.171.171.63
Source: unknown TCP traffic detected without corresponding DNS query: 41.153.166.174
Source: unknown TCP traffic detected without corresponding DNS query: 211.51.165.147
Source: unknown TCP traffic detected without corresponding DNS query: 200.201.55.42
Source: unknown TCP traffic detected without corresponding DNS query: 252.54.245.83
Source: unknown TCP traffic detected without corresponding DNS query: 160.209.246.183
Source: unknown TCP traffic detected without corresponding DNS query: 147.48.216.228
Source: unknown TCP traffic detected without corresponding DNS query: 36.125.8.189
Source: unknown TCP traffic detected without corresponding DNS query: 171.100.84.96
Source: unknown TCP traffic detected without corresponding DNS query: 190.221.132.56
Source: unknown TCP traffic detected without corresponding DNS query: 217.27.65.127
Source: unknown TCP traffic detected without corresponding DNS query: 23.3.77.6
Source: unknown TCP traffic detected without corresponding DNS query: 71.105.254.138
Source: unknown TCP traffic detected without corresponding DNS query: 35.64.176.220
Source: unknown TCP traffic detected without corresponding DNS query: 212.40.150.236
Source: unknown TCP traffic detected without corresponding DNS query: 111.2.163.189
Source: unknown TCP traffic detected without corresponding DNS query: 205.206.186.136
Source: unknown TCP traffic detected without corresponding DNS query: 2.162.230.102
Source: 8p2APHSDxx String found in binary or memory: http://upx.sf.net

System Summary:

barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/8p2APHSDxx (PID: 5221) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 5221, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 5231, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Sample tries to kill a process (SIGKILL)
Source: /tmp/8p2APHSDxx (PID: 5221) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 5221, result: successful Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) SIGKILL sent: pid: 5231, result: successful Jump to behavior
Source: classification engine Classification label: mal76.spre.troj.evad.lin@0/0@0/0

Data Obfuscation:

barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/491/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/793/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/772/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/796/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/774/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/797/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/777/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/799/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/658/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/912/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/759/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/936/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/918/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/1/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/761/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/785/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/884/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/720/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/721/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/788/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/789/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/800/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/801/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/847/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5221) File opened: /proc/904/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/910/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/912/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/912/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/912/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/759/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/759/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/759/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/517/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/918/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/918/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/918/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/5152/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/4460/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/761/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/761/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/761/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/884/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/884/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/884/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1860/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/800/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/800/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/800/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/801/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/801/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/801/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/4457/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/4458/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/4459/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/491/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/491/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/491/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/5161/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/772/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/772/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/772/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/774/fd Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/774/exe Jump to behavior
Source: /tmp/8p2APHSDxx (PID: 5227) File opened: /proc/774/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47118
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47126
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47130
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47134
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47142
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47146
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47148
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47152
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47144
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47154
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47158
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47162
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47174
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47220
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47230
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47186
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47244
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47250
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47252
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47256
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47258
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47264
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47266
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47270
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 47278

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/8p2APHSDxx (PID: 5219) Queries kernel information via 'uname': Jump to behavior
Source: 8p2APHSDxx, 5219.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5221.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5222.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5325.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5229.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5231.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: 8p2APHSDxx, 5325.1.000000009e28a83d.000000001427abc4.rw-.sdmp Binary or memory string: ` /proc/267/exe!/proc/789/fd/9/mipsel/1/proc/2307/exe/mipsel/0!/proc/269/exe!/proc/789/fd/8/mipsel/1/usr/bin/vmtoolsdipsel/0!/proc/270/exe!/proc/789/fd/7/mipsel/1/usr/libexec/gvfsd-metadata0!/proc/272/exe!/proc/789/fd/6/mipsel/1/usr/lib/systemd/systemd-resolved!/proc/274/exe!/proc/789/fd/5/mipsel/1/usr/lib/policykit-1/polkitd0!/proc/278/exe!/proc/789/fd/4/mipsel/1/usr/sbin/acpid/mipsel/0!/proc/281/exe!/proc/789/fd/3/mipsel/1@
Source: 8p2APHSDxx, 5325.1.000000009e28a83d.000000001427abc4.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: 8p2APHSDxx, 5219.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5221.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5222.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5325.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5229.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp, 8p2APHSDxx, 5231.1.000000005dbcf65e.000000009e28a83d.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: 8p2APHSDxx, 5325.1.000000009e28a83d.000000001427abc4.rw-.sdmp Binary or memory string: U/mipsel/0 /proc/5223/exe0!/proc/884/fd/51/dev/misc/watchdogpsel/0!/usr/bin/qemu-mipsel!/proc/884/fd/61p
Source: 8p2APHSDxx, 5219.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5221.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5222.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5325.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5229.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5231.1.000000008c73bfdd.0000000014055195.rw-.sdmp Binary or memory string: Jx86_64/usr/bin/qemu-mipsel/tmp/8p2APHSDxxSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/8p2APHSDxx
Source: 8p2APHSDxx, 5219.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5221.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5222.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5325.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5325.1.000000009e28a83d.000000001427abc4.rw-.sdmp, 8p2APHSDxx, 5229.1.000000008c73bfdd.0000000014055195.rw-.sdmp, 8p2APHSDxx, 5231.1.000000008c73bfdd.0000000014055195.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
202.240.10.100
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
211.23.120.136
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
178.198.88.188
 unknown Switzerland
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
37.252.74.80
 unknown Armenia
44395 ORG-UL31-RIPEAM false
217.220.244.241
 unknown Italy
8968 BT-ITALIAIT false
212.143.94.167
 unknown Israel
1680 NV-ASNCELLCOMltdIL false
82.47.250.59
 unknown United Kingdom
5089 NTLGB false
31.219.188.58
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE false
249.63.217.224
 unknown Reserved
unknown unknown false
181.222.227.132
 unknown Brazil
28573 CLAROSABR false
70.141.98.97
 unknown United States
7018 ATT-INTERNET4US false
220.56.37.166
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
83.120.11.184
 unknown Iran (ISLAMIC Republic Of)
197207 MCCI-ASIR false
84.76.228.163
 unknown Spain
12479 UNI2-ASES false
113.3.233.8
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
70.108.52.36
 unknown United States
701 UUNETUS false
211.192.59.240
 unknown Korea Republic of
10056 HDMF-ASHyundaiMarinFireInsuranceKR false
163.132.253.75
 unknown Japan 17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
177.237.65.14
 unknown Mexico
28512 CablemasTelecomunicacionesSAdeCVMX false
62.107.7.104
 unknown Denmark
197288 STOFANETDK false
148.223.139.78
 unknown Mexico
8151 UninetSAdeCVMX false
141.179.119.106
 unknown Saudi Arabia
197921 HBTFJO false
201.159.85.21
 unknown Brazil
61764 RioGrandeTecnologiaeComunicMultimidiaLtdaBR false
176.165.90.113
 unknown France
5410 BOUYGTEL-ISPFR false
91.40.119.89
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
53.107.17.53
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
125.202.66.136
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
141.21.2.208
 unknown Germany
205046 FZI-AS-1DE false
43.110.126.181
 unknown Japan 4249 LILLY-ASUS false
84.252.55.41
 unknown Bulgaria
202043 BIA-BG false
141.174.45.213
 unknown United States
29601 UPM-KYMMENE-ASKuusankoskiFinlandFI false
154.79.94.130
 unknown Kenya
36926 CKL1-ASNKE false
90.102.156.246
 unknown France
3215 FranceTelecom-OrangeFR false
73.161.10.124
 unknown United States
7922 COMCAST-7922US false
47.208.204.100
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS false
80.81.167.38
 unknown Finland
719 ELISA-ASHelsinkiFinlandEU false
104.247.124.210
 unknown Reserved
63052 AS-CBBCCA false
60.117.131.60
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
200.163.89.110
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
135.222.21.228
 unknown United States
10455 LUCENT-CIOUS false
82.219.83.106
 unknown United Kingdom
30740 EXA-NETWORKSExaNetworksLimitedGB false
119.111.187.52
 unknown Philippines
9299 IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH false
161.135.98.184
 unknown United States
7726 FITC-ASUS false
63.234.234.118
 unknown United States
12068 RC-ASNUS false
92.204.156.190
 unknown Germany
398108 GO-DADDY-COM-LLCUS false
74.240.110.136
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS false
76.253.229.96
 unknown United States
25993 AS-25993US false
202.22.122.95
 unknown Japan 24183 DTS-ISP-CORE1-APDTSLTDNZ false
1.255.125.250
 unknown Korea Republic of
9770 SPEEDONSTV-AS-KRLGHelloVisionCorpKR false
173.33.198.208
 unknown Canada
812 ROGERS-COMMUNICATIONSCA false
89.146.240.36
 unknown Germany
8495 INTERNET_AGFrankfurt-Munich-Stuttgart-Amsterdam-LondonDE false
37.234.77.118
 unknown Hungary
8448 PGSM-HUTorokbalintHungaryHU false
69.14.149.115
 unknown United States
12083 WOW-INTERNETUS false
113.10.164.169
 unknown Hong Kong
17444 NWT-AS-APASnumberforNewWorldTelephoneLtdHK false
209.220.117.178
 unknown United States
701 UUNETUS false
182.115.198.175
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
93.171.122.42
 unknown Czech Republic
42772 A1-BY-ASBY false
2.67.68.255
 unknown Sweden
44034 HI3GSE false
178.5.88.54
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
179.218.233.71
 unknown Brazil
28573 CLAROSABR false
254.102.133.230
 unknown Reserved
unknown unknown false
85.246.144.11
 unknown Portugal
3243 MEO-RESIDENCIALPT false
161.104.78.249
 unknown France
7582 UMAC-AS-APUniversityofMacauMO false
195.239.166.37
 unknown Russian Federation
3216 SOVAM-ASRU false
150.23.109.183
 unknown Japan 2497 IIJInternetInitiativeJapanIncJP false
189.22.73.157
 unknown Brazil
4230 CLAROSABR false
152.201.10.86
 unknown Colombia
3816 COLOMBIATELECOMUNICACIONESSAESPCO false
43.2.122.58
 unknown Japan 4249 LILLY-ASUS false
108.232.93.2
 unknown United States
7018 ATT-INTERNET4US false
206.123.203.244
 unknown United States
398163 FIBERWESTUS false
31.7.153.206
 unknown Italy
49360 POSIVITO-ASIT false
177.254.188.54
 unknown Colombia
27831 ColombiaMovilCO false
41.186.146.32
 unknown Rwanda
36890 MTNRW-ASNRW false
171.57.213.144
 unknown India
9874 STARHUB-MOBILEStarHubLtdSG false
16.175.78.233
 unknown United States
unknown unknown false
190.5.112.131
 unknown Honduras
27696 ColumbusNetworksdeHondurasSdeRLHN false
217.193.146.101
 unknown Switzerland
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
93.129.239.86
 unknown Germany
6805 TDDE-ASN1DE false
176.196.224.100
 unknown Russian Federation
39927 ELIGHT-ASRU false
85.45.213.112
 unknown Italy
3269 ASN-IBSNAZIT false
175.236.53.194
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
122.202.99.11
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP false
67.146.27.203
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
101.211.73.136
 unknown India
58519 CHINATELECOM-CTCLOUDCloudComputingCorporationCN false
117.91.17.152
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
1.209.161.81
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
8.102.25.77
 unknown United States
3356 LEVEL3US false
220.108.43.145
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
59.79.11.124
 unknown China
24364 CNGI-SH-IX-AS-APCERNET2IXatShanghaiJiaotongUniversity false
14.239.224.160
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
250.255.172.193
 unknown Reserved
unknown unknown false
180.139.77.69
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
73.215.161.119
 unknown United States
7922 COMCAST-7922US false
165.77.133.148
 unknown United States
4725 ODNSoftBankMobileCorpJP false
130.0.91.47
 unknown Germany
61097 CLOUDSOFTCATGB false
207.173.38.45
 unknown United States
7385 ALLSTREAMUS false
83.141.103.223
 unknown Ireland
25441 IBIS-ASImagineGroupLtdIE false
2.215.62.55
 unknown Germany
6805 TDDE-ASN1DE false
93.130.166.68
 unknown Germany
6805 TDDE-ASN1DE false
71.66.146.46
 unknown United States
10796 TWC-10796-MIDWESTUS false