Linux Analysis Report 52lN2HSY7O

Overview

General Information

Sample Name:	52lN2HSY7O
Analysis ID:	553492
MD5:	e0db3c63694e83c4ea4187a6fd40c9d2
SHA1:	d04a564f43e9ed664478443199b196d6cb191580
SHA256:	da6d168edfc190ef5f7a8ae9ad40de97ea559989c3f7421af1c9a0909522dbf4
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 52lN2HSY7O	Virustotal: Detection: 55%			Perma Link
Source: 52lN2HSY7O	ReversingLabs: Detection: 62%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57604
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57616
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57634
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57638
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57642
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57646
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57652
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57658
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57662
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57668
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.238.165.150:23 -> 192.168.2.23:53576
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56276
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:56718
Source: Traffic	Snort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:41962
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35216
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56440
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35240
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.174.127.152:23 -> 192.168.2.23:44742
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49324
Source: Traffic	Snort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:42106
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:56866
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35274
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49368
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 83.221.206.253:23 -> 192.168.2.23:39260
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35354
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49476
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56628
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35436
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49536
Source: Traffic	Snort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:42322
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57088
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35484
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49562
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35532
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49632
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56782
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.117.174:23 -> 192.168.2.23:46416
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:52834
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:52834
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35614
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.25.35.103:23 -> 192.168.2.23:34854
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.25.35.103:23 -> 192.168.2.23:34854
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49700
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58690
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57260
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58720
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41730
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58750
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35690
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58770
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41760
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49804
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58790
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50744
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50744
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:52940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:52940
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41820
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50762
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50762
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58822
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38270
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50798
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50798
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 207.188.71.177:23 -> 192.168.2.23:42754
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 207.188.71.177:23 -> 192.168.2.23:42754
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58868
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38270
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50812
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50812
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41848
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58884
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49902
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38304
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35830
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41892
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:57080
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38304
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58942
Source: Traffic	Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:49658 -> 89.145.206.38:23
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:53146 -> 125.117.143.234:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41964
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.117.174:23 -> 192.168.2.23:46770
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58986
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38402
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42002
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38402
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:53146
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:53146
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:50046
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42026
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38452
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38452
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 158.174.171.132: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42092
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:57746
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:57746
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43534
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43534
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38622
Source: Traffic	Snort IDS: 716 INFO TELNET access 176.178.175.26:23 -> 192.168.2.23:50634
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38622
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57834
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42228
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38706
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.178.175.26:23 -> 192.168.2.23:50634
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.178.175.26:23 -> 192.168.2.23:50634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.25.35.103:23 -> 192.168.2.23:35464
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.25.35.103:23 -> 192.168.2.23:35464
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38706
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38772
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43688
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38772
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.23:46644 -> 178.153.86.181:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:58050
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:58050
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38824
Source: Traffic	Snort IDS: 716 INFO TELNET access 176.178.175.26:23 -> 192.168.2.23:50838
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43756
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38824
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.12.124.74:23 -> 192.168.2.23:59688
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38894
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.12.124.74:23 -> 192.168.2.23:59730
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.178.175.26:23 -> 192.168.2.23:50838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.178.175.26:23 -> 192.168.2.23:50838

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59906
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59496
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55394
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55416
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60670
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46004
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46048
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46066
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47916
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47942

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312

Sample listens on a socket

Source: /tmp/52lN2HSY7O (PID: 5244)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown	TCP traffic detected without corresponding DNS query: 197.131.18.136
Source: unknown	TCP traffic detected without corresponding DNS query: 183.85.98.136
Source: unknown	TCP traffic detected without corresponding DNS query: 245.189.161.108
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.170.183
Source: unknown	TCP traffic detected without corresponding DNS query: 141.17.39.237
Source: unknown	TCP traffic detected without corresponding DNS query: 32.241.98.250
Source: unknown	TCP traffic detected without corresponding DNS query: 188.227.153.6
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.44.48
Source: unknown	TCP traffic detected without corresponding DNS query: 37.232.147.235
Source: unknown	TCP traffic detected without corresponding DNS query: 142.140.84.111
Source: unknown	TCP traffic detected without corresponding DNS query: 99.185.159.252
Source: unknown	TCP traffic detected without corresponding DNS query: 97.2.161.202
Source: unknown	TCP traffic detected without corresponding DNS query: 145.167.228.105
Source: unknown	TCP traffic detected without corresponding DNS query: 212.13.252.233
Source: unknown	TCP traffic detected without corresponding DNS query: 24.113.182.154
Source: unknown	TCP traffic detected without corresponding DNS query: 218.178.63.174
Source: unknown	TCP traffic detected without corresponding DNS query: 169.23.59.31
Source: unknown	TCP traffic detected without corresponding DNS query: 242.240.117.66
Source: unknown	TCP traffic detected without corresponding DNS query: 44.132.233.126
Source: unknown	TCP traffic detected without corresponding DNS query: 251.220.119.233
Source: unknown	TCP traffic detected without corresponding DNS query: 186.190.71.94
Source: unknown	TCP traffic detected without corresponding DNS query: 63.0.99.123
Source: unknown	TCP traffic detected without corresponding DNS query: 65.156.248.103
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.141.169
Source: unknown	TCP traffic detected without corresponding DNS query: 182.183.59.95
Source: unknown	TCP traffic detected without corresponding DNS query: 118.172.199.129
Source: unknown	TCP traffic detected without corresponding DNS query: 253.95.218.176
Source: unknown	TCP traffic detected without corresponding DNS query: 67.163.223.123
Source: unknown	TCP traffic detected without corresponding DNS query: 32.34.80.49
Source: unknown	TCP traffic detected without corresponding DNS query: 216.199.76.79
Source: unknown	TCP traffic detected without corresponding DNS query: 140.235.190.158
Source: unknown	TCP traffic detected without corresponding DNS query: 221.123.92.204
Source: unknown	TCP traffic detected without corresponding DNS query: 70.104.99.105
Source: unknown	TCP traffic detected without corresponding DNS query: 118.112.129.241
Source: unknown	TCP traffic detected without corresponding DNS query: 44.156.118.140
Source: unknown	TCP traffic detected without corresponding DNS query: 13.158.255.149
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.161.172
Source: unknown	TCP traffic detected without corresponding DNS query: 193.51.99.20
Source: unknown	TCP traffic detected without corresponding DNS query: 86.171.75.89
Source: unknown	TCP traffic detected without corresponding DNS query: 118.147.81.187
Source: unknown	TCP traffic detected without corresponding DNS query: 73.42.183.6
Source: unknown	TCP traffic detected without corresponding DNS query: 250.140.113.44
Source: unknown	TCP traffic detected without corresponding DNS query: 19.126.125.138
Source: unknown	TCP traffic detected without corresponding DNS query: 12.6.21.161
Source: unknown	TCP traffic detected without corresponding DNS query: 118.17.175.67
Source: unknown	TCP traffic detected without corresponding DNS query: 243.54.114.224
Source: unknown	TCP traffic detected without corresponding DNS query: 168.244.60.190
Source: unknown	TCP traffic detected without corresponding DNS query: 179.108.237.40
Source: unknown	TCP traffic detected without corresponding DNS query: 189.1.2.169

Source: motd-news.18.dr

String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/52lN2HSY7O (PID: 5244)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal68.troj.lin@0/1@0/0

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/904/fd	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5194)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.JmXH35JStJ /tmp/tmp.AdZnWFxIG7 /tmp/tmp.Bef8J1nfzZ

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59906
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59496
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55394
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55416
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60670
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46004
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46048
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46066
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47916
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47942

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/52lN2HSY7O (PID: 5242)

Queries kernel information via 'uname':

Jump to behavior

Source: 52lN2HSY7O, 5242.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000c82da646.00000000f362cca0.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: 52lN2HSY7O, 5242.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000c82da646.00000000f362cca0.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/52lN2HSY7OSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/52lN2HSY7O
Source: 52lN2HSY7O, 5242.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp	Binary or memory string: DV!/etc/qemu-binfmt/m68k
Source: 52lN2HSY7O, 5242.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.110.235.164	unknown	United States	7018	ATT-INTERNET4US	false
113.121.141.255	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
177.11.31.210	unknown	Brazil	52754	GRUPOSHARKBR	false
27.110.107.33	unknown	Japan	23783	CNACableNetworksAkitaColtdJP	false
80.24.212.170	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
186.83.234.200	unknown	Colombia	10620	TelmexColombiaSACO	false
207.56.160.227	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
222.171.173.133	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
206.184.241.50	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
207.116.49.21	unknown	United States	6407	PRIMUS-AS6407CA	false
81.255.86.163	unknown	France	3215	FranceTelecom-OrangeFR	false
101.128.206.180	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
58.6.149.98	unknown	Australia	9543	WESTNET-AS-APWestnetInternetServicesAU	false
60.64.115.12	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
72.191.168.77	unknown	United States	11427	TWC-11427-TEXASUS	false
134.2.145.161	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
88.190.10.46	unknown	France	12322	PROXADFR	false
189.230.128.7	unknown	Mexico	8151	UninetSAdeCVMX	false
240.234.53.120	unknown	Reserved	unknown	unknown	false
200.228.138.0	unknown	Brazil	4230	CLAROSABR	false
245.90.212.44	unknown	Reserved	unknown	unknown	false
18.188.26.118	unknown	United States	16509	AMAZON-02US	false
121.55.215.27	unknown	Guam	3605	ERX-KUENTOS-ASGuamCablevisionLLCGU	false
175.240.25.72	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
247.205.244.162	unknown	Reserved	unknown	unknown	false
164.42.74.234	unknown	Puerto Rico	16649	IUPR-ASPR	false
53.228.90.236	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
96.25.164.173	unknown	United States	16625	AKAMAI-ASUS	false
99.10.28.76	unknown	United States	7018	ATT-INTERNET4US	false
116.40.43.10	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
159.52.118.79	unknown	Australia	4826	VOCUS-BACKBONE-ASVocusConnectInternationalBackboneAU	false
201.233.213.54	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
169.243.206.141	unknown	United States	47024	THE-METROHEALTH-SYSTEMUS	false
109.44.45.243	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
240.203.171.95	unknown	Reserved	unknown	unknown	false
150.253.133.66	unknown	United States	13445	13445US	false
253.47.120.163	unknown	Reserved	unknown	unknown	false
110.220.30.89	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
43.8.221.27	unknown	Japan	4249	LILLY-ASUS	false
203.120.137.187	unknown	Singapore	4628	PACIFICINTERNET-AS-APPacificInternetPteLtdSG	false
218.181.74.60	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
53.169.5.228	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
75.125.11.254	unknown	United States	36351	SOFTLAYERUS	false
101.215.253.239	unknown	India	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
156.7.48.65	unknown	United States	29975	VODACOM-ZA	false
117.178.243.226	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
161.78.252.141	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
240.160.53.154	unknown	Reserved	unknown	unknown	false
108.28.236.159	unknown	United States	701	UUNETUS	false
195.249.101.245	unknown	Denmark	3292	TDCTDCASDK	false
148.56.211.54	unknown	Spain	12430	VODAFONE_ESES	false
159.106.135.52	unknown	United States	16050	REUTERS-DOCKLANDS-RES-ASReutersDocklandsresiliancyGB	false
80.97.224.172	unknown	Romania	9050	RTDBucharestRomaniaRO	false
211.21.103.87	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
183.219.249.8	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
197.31.187.186	unknown	Tunisia	37492	ORANGE-TN	false
156.146.203.249	unknown	United States	1448	UNITED-BROADBANDUS	false
220.216.169.230	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	false
198.196.224.109	unknown	United States	292	ESNET-WESTUS	false
153.239.66.159	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
220.216.56.40	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
124.225.208.91	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
105.143.72.239	unknown	Morocco	6713	IAM-ASMA	false
177.203.133.248	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
192.233.100.166	unknown	United States	3356	LEVEL3US	false
112.249.78.53	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
220.0.129.208	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
141.156.237.63	unknown	United States	701	UUNETUS	false
110.141.121.185	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
83.138.58.49	unknown	unknown	207642	LEONIXDATACENTERFR	false
31.114.146.114	unknown	United Kingdom	12576	EELtdGB	false
17.234.124.225	unknown	United States	714	APPLE-ENGINEERINGUS	false
146.136.220.194	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
247.168.152.143	unknown	Reserved	unknown	unknown	false
87.198.117.230	unknown	Ireland	34245	MAGNET-ASIE	false
169.31.128.125	unknown	United States	37611	AfrihostZA	false
210.112.251.134	unknown	Korea Republic of	4663	ELIMNET-AS-KRELIMNETINCKR	false
58.114.227.42	unknown	Taiwan; Republic of China (ROC)	9416	MULTIMEDIA-AS-APHoshinMultimediaCenterIncTW	false
123.47.209.227	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
243.219.250.131	unknown	Reserved	unknown	unknown	false
195.136.103.120	unknown	Poland	200539	INTELLYSPJ-ASINTELLYPL	false
40.192.134.233	unknown	United States	4249	LILLY-ASUS	false
254.52.94.164	unknown	Reserved	unknown	unknown	false
164.65.13.51	unknown	United States	1778	DNIC-AS-01778US	false
212.9.249.185	unknown	Ukraine	6703	ALKAR-ASUA	false
186.170.17.43	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
133.27.156.188	unknown	Japan	38635	KEIO-NETKeioUniversityJP	false
155.232.197.139	unknown	South Africa	2018	TENET-1ZA	false
109.4.187.52	unknown	France	15557	LDCOMNETFR	false
99.189.112.218	unknown	United States	7018	ATT-INTERNET4US	false
184.6.30.97	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
186.37.158.45	unknown	Chile	27925	EntelPCSTelecomunicacionesSACL	false
109.1.194.240	unknown	France	15557	LDCOMNETFR	false
87.179.231.26	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
151.75.212.221	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
218.31.166.125	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
191.133.1.249	unknown	Brazil	26615	TIMSABR	false
186.235.64.46	unknown	Brazil	262725	RGSILVEIRALTDABR	false
158.197.0.29	unknown	Slovakia (SLOVAK Republic)	2607	SANETSlovakAcademicNetworkSK	false
154.145.140.146	unknown	Morocco	6713	IAM-ASMA	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: 52lN2HSY7O	Virustotal: Detection: 55%			Perma Link
Source: 52lN2HSY7O	ReversingLabs: Detection: 62%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57604
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57616
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57634
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57638
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57642
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57646
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57652
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57658
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57662
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57668
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.238.165.150:23 -> 192.168.2.23:53576
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56276
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:56718
Source: Traffic	Snort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:41962
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35216
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56440
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35240
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.174.127.152:23 -> 192.168.2.23:44742
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49324
Source: Traffic	Snort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:42106
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:56866
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35274
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49368
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 83.221.206.253:23 -> 192.168.2.23:39260
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35354
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49476
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56628
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35436
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49536
Source: Traffic	Snort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:42322
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57088
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35484
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49562
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35532
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49632
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56782
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.117.174:23 -> 192.168.2.23:46416
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:52834
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:52834
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35614
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.25.35.103:23 -> 192.168.2.23:34854
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.25.35.103:23 -> 192.168.2.23:34854
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49700
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58690
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57260
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58720
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41730
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58750
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35690
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58770
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41760
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49804
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58790
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50744
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50744
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:52940
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:52940
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41820
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50762
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50762
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58822
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38270
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50798
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50798
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 207.188.71.177:23 -> 192.168.2.23:42754
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 207.188.71.177:23 -> 192.168.2.23:42754
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58868
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38270
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50812
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50812
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41848
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58884
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49902
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38304
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35830
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41892
Source: Traffic	Snort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:57080
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38304
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58942
Source: Traffic	Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:49658 -> 89.145.206.38:23
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:53146 -> 125.117.143.234:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41964
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.218.117.174:23 -> 192.168.2.23:46770
Source: Traffic	Snort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58986
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38402
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42002
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38402
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:53146
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:53146
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:50046
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42026
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38452
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38452
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 158.174.171.132: -> 192.168.2.23:
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42092
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:57746
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:57746
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43534
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43534
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38622
Source: Traffic	Snort IDS: 716 INFO TELNET access 176.178.175.26:23 -> 192.168.2.23:50634
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38622
Source: Traffic	Snort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57834
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42228
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38706
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43624
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.178.175.26:23 -> 192.168.2.23:50634
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.178.175.26:23 -> 192.168.2.23:50634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.25.35.103:23 -> 192.168.2.23:35464
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.25.35.103:23 -> 192.168.2.23:35464
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38706
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:53434
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38772
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43688
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38772
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.23:46644 -> 178.153.86.181:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:58050
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:58050
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38824
Source: Traffic	Snort IDS: 716 INFO TELNET access 176.178.175.26:23 -> 192.168.2.23:50838
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43756
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38824
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.12.124.74:23 -> 192.168.2.23:59688
Source: Traffic	Snort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38894
Source: Traffic	Snort IDS: 716 INFO TELNET access 216.12.124.74:23 -> 192.168.2.23:59730
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.178.175.26:23 -> 192.168.2.23:50838
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.178.175.26:23 -> 192.168.2.23:50838

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59906
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59496
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55394
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55416
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60670
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46004
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46048
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46066
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47916
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47942

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312

Sample listens on a socket

Source: /tmp/52lN2HSY7O (PID: 5244)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown	TCP traffic detected without corresponding DNS query: 197.131.18.136
Source: unknown	TCP traffic detected without corresponding DNS query: 183.85.98.136
Source: unknown	TCP traffic detected without corresponding DNS query: 245.189.161.108
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.170.183
Source: unknown	TCP traffic detected without corresponding DNS query: 141.17.39.237
Source: unknown	TCP traffic detected without corresponding DNS query: 32.241.98.250
Source: unknown	TCP traffic detected without corresponding DNS query: 188.227.153.6
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.44.48
Source: unknown	TCP traffic detected without corresponding DNS query: 37.232.147.235
Source: unknown	TCP traffic detected without corresponding DNS query: 142.140.84.111
Source: unknown	TCP traffic detected without corresponding DNS query: 99.185.159.252
Source: unknown	TCP traffic detected without corresponding DNS query: 97.2.161.202
Source: unknown	TCP traffic detected without corresponding DNS query: 145.167.228.105
Source: unknown	TCP traffic detected without corresponding DNS query: 212.13.252.233
Source: unknown	TCP traffic detected without corresponding DNS query: 24.113.182.154
Source: unknown	TCP traffic detected without corresponding DNS query: 218.178.63.174
Source: unknown	TCP traffic detected without corresponding DNS query: 169.23.59.31
Source: unknown	TCP traffic detected without corresponding DNS query: 242.240.117.66
Source: unknown	TCP traffic detected without corresponding DNS query: 44.132.233.126
Source: unknown	TCP traffic detected without corresponding DNS query: 251.220.119.233
Source: unknown	TCP traffic detected without corresponding DNS query: 186.190.71.94
Source: unknown	TCP traffic detected without corresponding DNS query: 63.0.99.123
Source: unknown	TCP traffic detected without corresponding DNS query: 65.156.248.103
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.141.169
Source: unknown	TCP traffic detected without corresponding DNS query: 182.183.59.95
Source: unknown	TCP traffic detected without corresponding DNS query: 118.172.199.129
Source: unknown	TCP traffic detected without corresponding DNS query: 253.95.218.176
Source: unknown	TCP traffic detected without corresponding DNS query: 67.163.223.123
Source: unknown	TCP traffic detected without corresponding DNS query: 32.34.80.49
Source: unknown	TCP traffic detected without corresponding DNS query: 216.199.76.79
Source: unknown	TCP traffic detected without corresponding DNS query: 140.235.190.158
Source: unknown	TCP traffic detected without corresponding DNS query: 221.123.92.204
Source: unknown	TCP traffic detected without corresponding DNS query: 70.104.99.105
Source: unknown	TCP traffic detected without corresponding DNS query: 118.112.129.241
Source: unknown	TCP traffic detected without corresponding DNS query: 44.156.118.140
Source: unknown	TCP traffic detected without corresponding DNS query: 13.158.255.149
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.161.172
Source: unknown	TCP traffic detected without corresponding DNS query: 193.51.99.20
Source: unknown	TCP traffic detected without corresponding DNS query: 86.171.75.89
Source: unknown	TCP traffic detected without corresponding DNS query: 118.147.81.187
Source: unknown	TCP traffic detected without corresponding DNS query: 73.42.183.6
Source: unknown	TCP traffic detected without corresponding DNS query: 250.140.113.44
Source: unknown	TCP traffic detected without corresponding DNS query: 19.126.125.138
Source: unknown	TCP traffic detected without corresponding DNS query: 12.6.21.161
Source: unknown	TCP traffic detected without corresponding DNS query: 118.17.175.67
Source: unknown	TCP traffic detected without corresponding DNS query: 243.54.114.224
Source: unknown	TCP traffic detected without corresponding DNS query: 168.244.60.190
Source: unknown	TCP traffic detected without corresponding DNS query: 179.108.237.40
Source: unknown	TCP traffic detected without corresponding DNS query: 189.1.2.169

Source: motd-news.18.dr

String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary:

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/52lN2HSY7O (PID: 5244)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal68.troj.lin@0/1@0/0

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5250)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/52lN2HSY7O (PID: 5244)	File opened: /proc/904/fd	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5194)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.JmXH35JStJ /tmp/tmp.AdZnWFxIG7 /tmp/tmp.Bef8J1nfzZ

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59906
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59496
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59508
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 59514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55394
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55404
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55412
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55416
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55418
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60670
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60698
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46004
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46030
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46048
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46066
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47916
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47928
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47940
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47942

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/52lN2HSY7O (PID: 5242)

Queries kernel information via 'uname':

Jump to behavior

Source: 52lN2HSY7O, 5242.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000c82da646.00000000f362cca0.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: 52lN2HSY7O, 5242.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000c82da646.00000000f362cca0.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/52lN2HSY7OSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/52lN2HSY7O
Source: 52lN2HSY7O, 5242.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp	Binary or memory string: DV!/etc/qemu-binfmt/m68k
Source: 52lN2HSY7O, 5242.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	553492
Product:	CloudBasic
Start time:	01:33:11
Start date:	15.01.2022
Sample:	52lN2HSY7O
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	e0db3c63694e83c4ea4187a6fd40c9d2
SHA1:	d04a564f43e9ed664478443199b196d6cb191580
SHA256:	da6d168edfc190ef5f7a8ae9ad40de97ea559989c3f7421af1c9a0909522dbf4
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report 52lN2HSY7O

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs