Linux Analysis Report 9Q1fc1TZq4

Overview

General Information

Sample Name:	9Q1fc1TZq4
Analysis ID:	553493
MD5:	b192ed1edacfafee1a66012bfa2c45be
SHA1:	0a3451997f43964a25b203672441f3d4b615d224
SHA256:	b41bbb2bcc0d3106fd9767fe53f95329d4178ca48f3fdf700b80619b75207dba
Tags:	32elfmiraisparc
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill multiple processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 9Q1fc1TZq4	Virustotal: Detection: 52%			Perma Link
Source: 9Q1fc1TZq4	ReversingLabs: Detection: 55%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 150.129.115.17:23 -> 192.168.2.23:43010
Source: Traffic	Snort IDS: 716 INFO TELNET access 212.123.70.71:23 -> 192.168.2.23:40496
Source: Traffic	Snort IDS: 716 INFO TELNET access 212.123.70.71:23 -> 192.168.2.23:40516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39806
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39806
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35412
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35412
Source: Traffic	Snort IDS: 716 INFO TELNET access 150.129.115.17:23 -> 192.168.2.23:43180
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35430
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35430
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39852
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35448
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35448
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35450
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35450
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35456
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35462
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35462
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35466
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35466
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35472
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35472
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35478
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35478
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35480
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35480
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39908
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39908
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35486
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35490
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35490
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35492
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35492
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35504
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35508
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35508
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35516
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35528
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35528
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35530
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35542
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35542
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35550
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35550
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35554
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35554
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35560
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35560
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35578
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35578
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35574
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35574
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35576
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35590
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35590
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35592
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35592
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35612
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35612
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40034
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35642
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35642
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40072
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40072
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40142
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40142
Source: Traffic	Snort IDS: 716 INFO TELNET access 176.119.210.93:23 -> 192.168.2.23:39152
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 122.52.167.198:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 122.52.167.198:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 716 INFO TELNET access 187.60.251.153:23 -> 192.168.2.23:57922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40192
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40192
Source: Traffic	Snort IDS: 716 INFO TELNET access 67.21.178.130:23 -> 192.168.2.23:56348
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40246
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40246
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.13.163.141:23 -> 192.168.2.23:41608
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.115.44:23 -> 192.168.2.23:37756

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51854
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51860
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51866

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312

Sample listens on a socket

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::37215	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown	TCP traffic detected without corresponding DNS query: 53.37.140.118
Source: unknown	TCP traffic detected without corresponding DNS query: 255.11.92.225
Source: unknown	TCP traffic detected without corresponding DNS query: 113.221.14.222
Source: unknown	TCP traffic detected without corresponding DNS query: 91.198.138.229
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.252.38
Source: unknown	TCP traffic detected without corresponding DNS query: 186.169.215.12
Source: unknown	TCP traffic detected without corresponding DNS query: 63.76.153.143
Source: unknown	TCP traffic detected without corresponding DNS query: 242.192.94.231
Source: unknown	TCP traffic detected without corresponding DNS query: 93.163.0.92
Source: unknown	TCP traffic detected without corresponding DNS query: 195.161.100.74
Source: unknown	TCP traffic detected without corresponding DNS query: 197.39.20.72
Source: unknown	TCP traffic detected without corresponding DNS query: 247.25.74.11
Source: unknown	TCP traffic detected without corresponding DNS query: 38.132.7.100
Source: unknown	TCP traffic detected without corresponding DNS query: 216.209.64.3
Source: unknown	TCP traffic detected without corresponding DNS query: 189.183.132.53
Source: unknown	TCP traffic detected without corresponding DNS query: 116.35.20.108
Source: unknown	TCP traffic detected without corresponding DNS query: 159.3.178.38
Source: unknown	TCP traffic detected without corresponding DNS query: 208.100.192.160
Source: unknown	TCP traffic detected without corresponding DNS query: 254.75.83.64
Source: unknown	TCP traffic detected without corresponding DNS query: 145.194.139.115
Source: unknown	TCP traffic detected without corresponding DNS query: 66.109.87.165
Source: unknown	TCP traffic detected without corresponding DNS query: 38.77.77.248
Source: unknown	TCP traffic detected without corresponding DNS query: 208.64.53.186
Source: unknown	TCP traffic detected without corresponding DNS query: 240.0.122.142
Source: unknown	TCP traffic detected without corresponding DNS query: 217.82.231.151
Source: unknown	TCP traffic detected without corresponding DNS query: 9.244.168.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.36.181.109
Source: unknown	TCP traffic detected without corresponding DNS query: 190.44.190.77
Source: unknown	TCP traffic detected without corresponding DNS query: 91.122.52.12
Source: unknown	TCP traffic detected without corresponding DNS query: 96.83.141.58
Source: unknown	TCP traffic detected without corresponding DNS query: 164.146.71.67
Source: unknown	TCP traffic detected without corresponding DNS query: 220.191.251.91
Source: unknown	TCP traffic detected without corresponding DNS query: 125.61.48.223
Source: unknown	TCP traffic detected without corresponding DNS query: 36.31.15.146
Source: unknown	TCP traffic detected without corresponding DNS query: 82.231.242.223
Source: unknown	TCP traffic detected without corresponding DNS query: 31.151.38.122
Source: unknown	TCP traffic detected without corresponding DNS query: 197.68.141.240
Source: unknown	TCP traffic detected without corresponding DNS query: 122.102.241.146
Source: unknown	TCP traffic detected without corresponding DNS query: 73.119.62.16
Source: unknown	TCP traffic detected without corresponding DNS query: 174.134.34.4
Source: unknown	TCP traffic detected without corresponding DNS query: 195.118.217.228
Source: unknown	TCP traffic detected without corresponding DNS query: 89.162.79.119
Source: unknown	TCP traffic detected without corresponding DNS query: 149.83.114.206
Source: unknown	TCP traffic detected without corresponding DNS query: 160.55.69.168
Source: unknown	TCP traffic detected without corresponding DNS query: 163.88.190.118
Source: unknown	TCP traffic detected without corresponding DNS query: 185.44.206.173
Source: unknown	TCP traffic detected without corresponding DNS query: 126.138.115.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.207.88.146
Source: unknown	TCP traffic detected without corresponding DNS query: 181.18.11.107

System Summary:

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5243, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5235, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5245, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5249, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5253, result: successful	Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5243, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5235, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5245, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5249, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5253, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.lin@0/0@0/0

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5144/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4453/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5030/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5030/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5151/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4460/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5153/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4461/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4462/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1983/exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51854
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51860
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51866

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/9Q1fc1TZq4 (PID: 5222)

Queries kernel information via 'uname':

Jump to behavior

Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp	Binary or memory string: U/sparc/10 /usr/bin/qemu-sparc!/proc/5243/fd/.1P
Source: 9Q1fc1TZq4, 5222.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 9Q1fc1TZq4, 5222.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp	Binary or memory string: U/sparc/10 /proc/2080/fd/50!/proc/2025/fd/11/usr/bin/vmtoolsdparc/10!/proc/2080/fd/40!/proc/2025/fd/21
Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: 9Q1fc1TZq4, 5222.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e78673f0.000000004e74a713.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/9Q1fc1TZq4SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/9Q1fc1TZq4
Source: 9Q1fc1TZq4, 5222.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e78673f0.000000004e74a713.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
211.20.10.19	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
169.59.118.0	unknown	United States	36351	SOFTLAYERUS	false
12.27.146.188	unknown	United States	22024	SPLUNK-WESTUS	false
97.122.201.251	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
92.14.197.234	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
43.200.189.55	unknown	Japan	4249	LILLY-ASUS	false
135.214.247.4	unknown	United States	797	AMERITECH-ASUS	false
181.11.124.63	unknown	Argentina	7303	TelecomArgentinaSAAR	false
148.116.96.162	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false
218.247.19.102	unknown	China	17964	DXTNETBeijingDian-Xin-TongNetworkTechnologiesCoLtd	false
92.169.155.202	unknown	France	3215	FranceTelecom-OrangeFR	false
255.11.112.220	unknown	Reserved	unknown	unknown	false
245.3.184.52	unknown	Reserved	unknown	unknown	false
186.218.250.229	unknown	Brazil	28573	CLAROSABR	false
163.1.73.189	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
73.86.243.183	unknown	United States	7922	COMCAST-7922US	false
151.252.218.157	unknown	Germany	34594	OT-ASHR	false
133.70.198.186	unknown	Japan	24268	SAINSNationalUniversityCorporationShizuokaUniversityJ	false
252.36.231.194	unknown	Reserved	unknown	unknown	false
32.185.230.127	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
153.116.140.8	unknown	United States	5501	FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe	false
135.41.207.147	unknown	United States	54614	CIKTELECOM-CABLECA	false
196.60.104.159	unknown	unknown	37518	FIBERGRIDSC	false
242.29.155.141	unknown	Reserved	unknown	unknown	false
217.111.58.252	unknown	Germany	8220	COLTCOLTTechnologyServicesGroupLimitedGB	false
66.163.200.76	unknown	Canada	15247	RADIANT-VANCOUVERCA	false
242.164.138.231	unknown	Reserved	unknown	unknown	false
145.4.3.32	unknown	Netherlands	702	UUNETUS	false
76.231.211.6	unknown	United States	7018	ATT-INTERNET4US	false
168.43.71.22	unknown	United States	1761	TDIR-CAPNETUS	false
75.229.27.80	unknown	United States	22394	CELLCOUS	false
174.102.62.195	unknown	United States	10796	TWC-10796-MIDWESTUS	false
210.113.80.162	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
217.137.54.23	unknown	United Kingdom	5089	NTLGB	false
152.25.134.106	unknown	United States	81	NCRENUS	false
180.144.209.43	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
121.132.105.18	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
221.182.110.53	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
62.114.184.227	unknown	Egypt	36992	ETISALAT-MISREG	false
173.1.59.247	unknown	United States	26228	SERVEPATHUS	false
20.229.247.195	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
27.117.29.102	unknown	Korea Republic of	17857	NAKDONGDIGITALBUSANNET-AS-KRTBroadKR	false
179.91.90.163	unknown	Brazil	26599	TELEFONICABRASILSABR	false
149.9.8.228	unknown	United States	14987	RETHEMHOSTINGUS	false
9.105.39.192	unknown	United States	3356	LEVEL3US	false
206.208.210.79	unknown	United States	23177	TNB-NETUS	false
164.196.212.57	unknown	United States	2621	DNIC-AS-02621US	false
103.234.82.181	unknown	Taiwan; Republic of China (ROC)	17710	PIINET-TWPresidentInformationCorpTW	false
167.145.94.0	unknown	United States	25899	LSNETUS	false
218.214.30.213	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	false
173.70.19.21	unknown	United States	701	UUNETUS	false
246.36.186.129	unknown	Reserved	unknown	unknown	false
201.231.42.137	unknown	Argentina	10318	TelecomArgentinaSAAR	false
204.38.223.92	unknown	United States	237	MERIT-AS-14US	false
114.253.184.46	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
53.132.107.174	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
172.73.89.126	unknown	United States	11426	TWC-11426-CAROLINASUS	false
242.199.130.227	unknown	Reserved	unknown	unknown	false
93.207.9.129	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
101.183.140.0	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
187.210.99.34	unknown	Mexico	8151	UninetSAdeCVMX	false
92.239.100.212	unknown	United Kingdom	5089	NTLGB	false
217.4.134.212	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
123.87.18.189	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
111.92.195.214	unknown	Singapore	45814	FARIYA-PKFariyaNetworksPvtLtdPK	false
160.131.191.99	unknown	United States	8103	STATE-OF-FLAUS	false
86.14.109.242	unknown	United Kingdom	5089	NTLGB	false
62.132.145.248	unknown	Germany	286	KPNNL	false
169.236.96.126	unknown	United States	22323	UNIVERSITY-OF-CALIFORNIA-MERCEDUS	false
16.128.90.19	unknown	United States	unknown	unknown	false
48.101.49.65	unknown	United States	2686	ATGS-MMD-ASUS	false
249.210.32.222	unknown	Reserved	unknown	unknown	false
192.208.198.17	unknown	United States	6336	TURN-US-ASNUS	false
24.150.27.121	unknown	Canada	7992	COGECOWAVECA	false
166.8.131.144	unknown	Switzerland	11798	ACEDATACENTERS-AS-1US	false
126.168.175.209	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
176.184.175.32	unknown	France	5410	BOUYGTEL-ISPFR	false
115.32.241.214	unknown	China	4766	KIXS-AS-KRKoreaTelecomKR	false
182.75.16.142	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	false
178.133.76.144	unknown	Ukraine	21497	UMC-ASUA	false
176.99.56.112	unknown	Russian Federation	59476	ASROSINTRARU	false
90.251.212.225	unknown	United Kingdom	5378	VodafoneGB	false
84.240.96.11	unknown	Finland	20904	NETPLAZA-ASFI	false
179.185.47.165	unknown	Brazil	18881	TELEFONICABRASILSABR	false
1.142.198.68	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
18.230.152.161	unknown	United States	16509	AMAZON-02US	false
123.71.229.193	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
164.7.1.167	unknown	France	44013	SANDVIK-ASSE	false
151.95.224.211	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
161.57.94.13	unknown	United States	11206	FSU-AS-1US	false
202.59.56.79	unknown	Australia	9667	HOSTWORKS-AS-AP5GNETWORKOPERATIONSPTYLTDAU	false
90.205.72.173	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
250.66.202.98	unknown	Reserved	unknown	unknown	false
252.72.1.224	unknown	Reserved	unknown	unknown	false
37.182.231.163	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
192.195.38.207	unknown	United States	63242	AS-CMN-LSUS	false
194.192.108.56	unknown	Denmark	3292	TDCTDCASDK	false
126.212.237.5	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
109.54.105.56	unknown	Italy	16232	ASN-TIMServiceProviderIT	false
192.243.129.241	unknown	United States	22284	AS22284-DOI-OPSUS	false

AV Detection:

Multi AV Scanner detection for submitted file

Source: 9Q1fc1TZq4	Virustotal: Detection: 52%			Perma Link
Source: 9Q1fc1TZq4	ReversingLabs: Detection: 55%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 150.129.115.17:23 -> 192.168.2.23:43010
Source: Traffic	Snort IDS: 716 INFO TELNET access 212.123.70.71:23 -> 192.168.2.23:40496
Source: Traffic	Snort IDS: 716 INFO TELNET access 212.123.70.71:23 -> 192.168.2.23:40516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39806
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39806
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35412
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35412
Source: Traffic	Snort IDS: 716 INFO TELNET access 150.129.115.17:23 -> 192.168.2.23:43180
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35430
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35430
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39852
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35448
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35448
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35450
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35450
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35456
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35462
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35462
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35466
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35466
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35472
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35472
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35478
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35478
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35480
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35480
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39908
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39908
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35486
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35490
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35490
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35492
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35492
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35504
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35508
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35508
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35516
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35528
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35528
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35530
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35542
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35542
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35550
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35550
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35554
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35554
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35560
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35560
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35578
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35578
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35574
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35574
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35576
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35590
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35590
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35592
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35592
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35612
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35612
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40034
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35642
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35642
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40072
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40072
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40142
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40142
Source: Traffic	Snort IDS: 716 INFO TELNET access 176.119.210.93:23 -> 192.168.2.23:39152
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 122.52.167.198:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 122.52.167.198:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 716 INFO TELNET access 187.60.251.153:23 -> 192.168.2.23:57922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40192
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40192
Source: Traffic	Snort IDS: 716 INFO TELNET access 67.21.178.130:23 -> 192.168.2.23:56348
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40246
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40246
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.13.163.141:23 -> 192.168.2.23:41608
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.222.115.44:23 -> 192.168.2.23:37756

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51854
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51860
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51866

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312

Sample listens on a socket

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	Socket: 0.0.0.0::37215	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 136.144.41.15
Source: unknown	TCP traffic detected without corresponding DNS query: 53.37.140.118
Source: unknown	TCP traffic detected without corresponding DNS query: 255.11.92.225
Source: unknown	TCP traffic detected without corresponding DNS query: 113.221.14.222
Source: unknown	TCP traffic detected without corresponding DNS query: 91.198.138.229
Source: unknown	TCP traffic detected without corresponding DNS query: 74.14.252.38
Source: unknown	TCP traffic detected without corresponding DNS query: 186.169.215.12
Source: unknown	TCP traffic detected without corresponding DNS query: 63.76.153.143
Source: unknown	TCP traffic detected without corresponding DNS query: 242.192.94.231
Source: unknown	TCP traffic detected without corresponding DNS query: 93.163.0.92
Source: unknown	TCP traffic detected without corresponding DNS query: 195.161.100.74
Source: unknown	TCP traffic detected without corresponding DNS query: 197.39.20.72
Source: unknown	TCP traffic detected without corresponding DNS query: 247.25.74.11
Source: unknown	TCP traffic detected without corresponding DNS query: 38.132.7.100
Source: unknown	TCP traffic detected without corresponding DNS query: 216.209.64.3
Source: unknown	TCP traffic detected without corresponding DNS query: 189.183.132.53
Source: unknown	TCP traffic detected without corresponding DNS query: 116.35.20.108
Source: unknown	TCP traffic detected without corresponding DNS query: 159.3.178.38
Source: unknown	TCP traffic detected without corresponding DNS query: 208.100.192.160
Source: unknown	TCP traffic detected without corresponding DNS query: 254.75.83.64
Source: unknown	TCP traffic detected without corresponding DNS query: 145.194.139.115
Source: unknown	TCP traffic detected without corresponding DNS query: 66.109.87.165
Source: unknown	TCP traffic detected without corresponding DNS query: 38.77.77.248
Source: unknown	TCP traffic detected without corresponding DNS query: 208.64.53.186
Source: unknown	TCP traffic detected without corresponding DNS query: 240.0.122.142
Source: unknown	TCP traffic detected without corresponding DNS query: 217.82.231.151
Source: unknown	TCP traffic detected without corresponding DNS query: 9.244.168.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.36.181.109
Source: unknown	TCP traffic detected without corresponding DNS query: 190.44.190.77
Source: unknown	TCP traffic detected without corresponding DNS query: 91.122.52.12
Source: unknown	TCP traffic detected without corresponding DNS query: 96.83.141.58
Source: unknown	TCP traffic detected without corresponding DNS query: 164.146.71.67
Source: unknown	TCP traffic detected without corresponding DNS query: 220.191.251.91
Source: unknown	TCP traffic detected without corresponding DNS query: 125.61.48.223
Source: unknown	TCP traffic detected without corresponding DNS query: 36.31.15.146
Source: unknown	TCP traffic detected without corresponding DNS query: 82.231.242.223
Source: unknown	TCP traffic detected without corresponding DNS query: 31.151.38.122
Source: unknown	TCP traffic detected without corresponding DNS query: 197.68.141.240
Source: unknown	TCP traffic detected without corresponding DNS query: 122.102.241.146
Source: unknown	TCP traffic detected without corresponding DNS query: 73.119.62.16
Source: unknown	TCP traffic detected without corresponding DNS query: 174.134.34.4
Source: unknown	TCP traffic detected without corresponding DNS query: 195.118.217.228
Source: unknown	TCP traffic detected without corresponding DNS query: 89.162.79.119
Source: unknown	TCP traffic detected without corresponding DNS query: 149.83.114.206
Source: unknown	TCP traffic detected without corresponding DNS query: 160.55.69.168
Source: unknown	TCP traffic detected without corresponding DNS query: 163.88.190.118
Source: unknown	TCP traffic detected without corresponding DNS query: 185.44.206.173
Source: unknown	TCP traffic detected without corresponding DNS query: 126.138.115.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.207.88.146
Source: unknown	TCP traffic detected without corresponding DNS query: 181.18.11.107

System Summary:

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5243, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5235, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5245, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5249, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5253, result: successful	Jump to behavior

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5243, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 800, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 847, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2180, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2208, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2275, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2281, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2285, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2289, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 2294, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5235, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5245, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5249, result: successful	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	SIGKILL sent: pid: 5253, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.spre.troj.lin@0/0@0/0

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5224)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5144/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4453/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2033/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1582/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2275/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1612/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1579/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1699/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1335/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1698/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2028/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1334/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1576/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2302/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/3236/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2025/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2146/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2307/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5030/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5030/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5151/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4460/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/5153/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4461/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/4462/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1594/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2285/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2281/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1349/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1623/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1622/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1983/fd	Jump to behavior
Source: /tmp/9Q1fc1TZq4 (PID: 5229)	File opened: /proc/1983/exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41682
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51854
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51860
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51866

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/9Q1fc1TZq4 (PID: 5222)

Queries kernel information via 'uname':

Jump to behavior

Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp	Binary or memory string: U/sparc/10 /usr/bin/qemu-sparc!/proc/5243/fd/.1P
Source: 9Q1fc1TZq4, 5222.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 9Q1fc1TZq4, 5222.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp	Binary or memory string: U/sparc/10 /proc/2080/fd/50!/proc/2025/fd/11/usr/bin/vmtoolsdparc/10!/proc/2080/fd/40!/proc/2025/fd/21
Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: 9Q1fc1TZq4, 5222.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e78673f0.000000004e74a713.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/9Q1fc1TZq4SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/9Q1fc1TZq4
Source: 9Q1fc1TZq4, 5222.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e78673f0.000000004e74a713.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	553493
Product:	CloudBasic
Start time:	01:38:33
Start date:	15.01.2022
Sample:	9Q1fc1TZq4
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	b192ed1edacfafee1a66012bfa2c45be
SHA1:	0a3451997f43964a25b203672441f3d4b615d224
SHA256:	b41bbb2bcc0d3106fd9767fe53f95329d4178ca48f3fdf700b80619b75207dba
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report 9Q1fc1TZq4

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs