Linux Analysis Report
oTdXpH4hrI

Overview

General Information

Sample Name:	oTdXpH4hrI
Analysis ID:	557422
MD5:	0dbe787e1b8ab7f004a55b418e3141c4
SHA1:	0506160d345965ffb7ffa6edb155ddfab10d1ae4
SHA256:	d7d2cab6f55b5b9b2bbd12911c450981eb6d84da22ef13ae1cf9b2d31a336b2d
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: oTdXpH4hrI	Virustotal: Detection: 50%			Perma Link
Source: oTdXpH4hrI	ReversingLabs: Detection: 58%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.27.182.36:23 -> 192.168.2.23:43438
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.27.182.36:23 -> 192.168.2.23:43438
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35172
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35172
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46324
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46324
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35204
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35204
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46378
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35266
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35266
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46396
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46396
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:32798
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:35302 -> 171.101.68.7:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48158
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46424
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46424
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35302
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35302
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:32870
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48188
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48204
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:32896
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46504
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35384
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48256
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46636
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46636
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33052
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48372
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48372 -> 59.106.42.241:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35540
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35540
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38338
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48418
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46704
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46704
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48446
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33126
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38386
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38386
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35614
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35614
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46750
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46750
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:33178 -> 14.205.71.245:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38432
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38432
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:35690 -> 171.101.68.7:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35690
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35690
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46818
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33222
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38470
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38470
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.170.93.178:23 -> 192.168.2.23:37092
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.170.93.178:23 -> 192.168.2.23:37092
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46868
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46868
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38518
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38518
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35746
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35746
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:33314 -> 14.205.71.245:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33314
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38566
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38566
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33332
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35806
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35806
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38594
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38594
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:43096 -> 113.69.138.27:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38666
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38666
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.170.93.178:23 -> 192.168.2.23:37294
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.170.93.178:23 -> 192.168.2.23:37294
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54376
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:54376 -> 211.210.93.93:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54376
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54376
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38718
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38718
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54414
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54414
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54414
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38748
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38748
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33122
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33122
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.247.156.224:23 -> 192.168.2.23:48824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.247.156.224:23 -> 192.168.2.23:48824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54496
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.170.93.178:23 -> 192.168.2.23:37460
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.170.93.178:23 -> 192.168.2.23:37460
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33248
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33248
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.86.160.30:23 -> 192.168.2.23:35598
Source: Traffic	Snort IDS: 716 INFO TELNET access 37.210.150.224:23 -> 192.168.2.23:38740
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33432
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33432
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 37.210.150.224:23 -> 192.168.2.23:38740
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.109.99.86:23 -> 192.168.2.23:45562
Source: Traffic	Snort IDS: 2023436 ET TROJAN Possible Linux.Mirai Login Attempt (anko) 192.168.2.23:45340 -> 92.27.32.168:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.208.148.198:23 -> 192.168.2.23:35062
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.208.148.198:23 -> 192.168.2.23:35062
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.87.82.70:23 -> 192.168.2.23:40016
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.40.199.178:23 -> 192.168.2.23:55972
Source: Traffic	Snort IDS: 716 INFO TELNET access 37.210.150.224:23 -> 192.168.2.23:38892
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 37.210.150.224:23 -> 192.168.2.23:38892
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:55008
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.40.199.178:23 -> 192.168.2.23:55972
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:55008
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:55008
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 223.22.253.150:23 -> 192.168.2.23:50640
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 223.22.253.150:23 -> 192.168.2.23:50640
Source: Traffic	Snort IDS: 716 INFO TELNET access 37.210.150.224:23 -> 192.168.2.23:39048
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33684
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.40.199.178:23 -> 192.168.2.23:56156
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 37.210.150.224:23 -> 192.168.2.23:39048
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.208.148.198:23 -> 192.168.2.23:35334
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.208.148.198:23 -> 192.168.2.23:35334
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 64.33.204.20:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 64.33.204.20:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.40.199.178:23 -> 192.168.2.23:56156
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.181.129.62:23 -> 192.168.2.23:50036
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.220.252.22:23 -> 192.168.2.23:60154

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:59584 -> 45.88.181.48:420

Sample listens on a socket

Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	Socket: 0.0.0.0::0	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.88.181.48
Source: unknown	TCP traffic detected without corresponding DNS query: 13.99.3.91
Source: unknown	TCP traffic detected without corresponding DNS query: 213.48.51.91
Source: unknown	TCP traffic detected without corresponding DNS query: 218.125.48.112
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.242.197
Source: unknown	TCP traffic detected without corresponding DNS query: 109.194.253.165
Source: unknown	TCP traffic detected without corresponding DNS query: 60.114.129.93
Source: unknown	TCP traffic detected without corresponding DNS query: 129.12.65.33
Source: unknown	TCP traffic detected without corresponding DNS query: 176.251.11.190
Source: unknown	TCP traffic detected without corresponding DNS query: 24.34.248.233
Source: unknown	TCP traffic detected without corresponding DNS query: 16.5.134.136
Source: unknown	TCP traffic detected without corresponding DNS query: 99.40.14.192
Source: unknown	TCP traffic detected without corresponding DNS query: 59.72.151.245
Source: unknown	TCP traffic detected without corresponding DNS query: 206.172.101.52
Source: unknown	TCP traffic detected without corresponding DNS query: 188.248.144.30
Source: unknown	TCP traffic detected without corresponding DNS query: 244.227.74.205
Source: unknown	TCP traffic detected without corresponding DNS query: 179.170.46.168
Source: unknown	TCP traffic detected without corresponding DNS query: 241.191.180.87
Source: unknown	TCP traffic detected without corresponding DNS query: 160.56.37.54
Source: unknown	TCP traffic detected without corresponding DNS query: 153.197.243.208
Source: unknown	TCP traffic detected without corresponding DNS query: 156.90.122.223
Source: unknown	TCP traffic detected without corresponding DNS query: 133.222.56.123
Source: unknown	TCP traffic detected without corresponding DNS query: 118.79.36.7
Source: unknown	TCP traffic detected without corresponding DNS query: 116.136.250.115
Source: unknown	TCP traffic detected without corresponding DNS query: 217.55.73.199
Source: unknown	TCP traffic detected without corresponding DNS query: 117.164.73.184
Source: unknown	TCP traffic detected without corresponding DNS query: 122.92.35.228
Source: unknown	TCP traffic detected without corresponding DNS query: 253.129.94.157
Source: unknown	TCP traffic detected without corresponding DNS query: 216.250.52.131
Source: unknown	TCP traffic detected without corresponding DNS query: 203.236.93.165
Source: unknown	TCP traffic detected without corresponding DNS query: 157.12.95.197
Source: unknown	TCP traffic detected without corresponding DNS query: 163.144.160.244
Source: unknown	TCP traffic detected without corresponding DNS query: 31.68.227.50
Source: unknown	TCP traffic detected without corresponding DNS query: 40.61.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 157.249.88.204
Source: unknown	TCP traffic detected without corresponding DNS query: 44.17.132.191
Source: unknown	TCP traffic detected without corresponding DNS query: 57.61.211.145
Source: unknown	TCP traffic detected without corresponding DNS query: 104.186.247.49
Source: unknown	TCP traffic detected without corresponding DNS query: 67.194.183.198
Source: unknown	TCP traffic detected without corresponding DNS query: 84.68.236.88
Source: unknown	TCP traffic detected without corresponding DNS query: 175.144.160.84
Source: unknown	TCP traffic detected without corresponding DNS query: 115.107.41.93
Source: unknown	TCP traffic detected without corresponding DNS query: 183.18.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 109.125.184.245
Source: unknown	TCP traffic detected without corresponding DNS query: 223.251.22.37
Source: unknown	TCP traffic detected without corresponding DNS query: 101.72.146.175
Source: unknown	TCP traffic detected without corresponding DNS query: 40.100.208.70
Source: unknown	TCP traffic detected without corresponding DNS query: 5.83.64.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.120.136
Source: unknown	TCP traffic detected without corresponding DNS query: 114.86.122.204

System Summary

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/oTdXpH4hrI (PID: 5224)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal64.troj.lin@0/0@0/0

Persistence and Installation Behavior

Enumerates processes within the "proc" file system

Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/904/fd	Jump to behavior

Malware Analysis System Evasion

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/oTdXpH4hrI (PID: 5222)

Queries kernel information via 'uname':

Jump to behavior

Source: oTdXpH4hrI, 5222.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5224.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5321.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5338.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5327.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5225.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5334.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5231.1.000000007605e787.000000009fa22cef.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: oTdXpH4hrI, 5222.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5224.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5321.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5338.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5327.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5225.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5334.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5231.1.000000007605e787.000000009fa22cef.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: oTdXpH4hrI, 5222.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5224.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5321.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5338.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5327.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5225.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5334.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5231.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp	Binary or memory string: ux86_64/usr/bin/qemu-mipsel/tmp/oTdXpH4hrISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/oTdXpH4hrI
Source: oTdXpH4hrI, 5222.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5224.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5321.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5338.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5327.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5225.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5334.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5231.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
248.18.203.183	unknown	Reserved	unknown	unknown	false
97.208.122.175	unknown	United States	6167	CELLCO-PARTUS	false
41.253.208.33	unknown	Libyan Arab Jamahiriya	21003	GPTC-ASLY	false
157.51.180.43	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
146.35.146.91	unknown	United States	197938	TRAVIANGAMESDE	false
161.255.247.82	unknown	Venezuela	25667	HOME-SHOPPING-NETWORKUS	false
2.239.41.68	unknown	Italy	12874	FASTWEBIT	false
102.254.127.160	unknown	South Africa	5713	SAIX-NETZA	false
208.117.171.2	unknown	United States	32748	STEADFASTUS	false
117.238.129.163	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
201.77.110.64	unknown	unknown	265627	NIDIXNETWORKSSADECVMX	false
157.162.143.44	unknown	Germany	22192	SSHENETUS	false
166.121.243.148	unknown	Singapore	9911	CONNECTPLUS-APSingaporeTelecomSG	false
184.202.73.1	unknown	United States	10507	SPCSUS	false
153.144.127.19	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
116.64.179.121	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
179.133.103.140	unknown	Brazil	26599	TELEFONICABRASILSABR	false
220.94.246.166	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
189.46.228.49	unknown	Brazil	27699	TELEFONICABRASILSABR	false
156.127.187.76	unknown	United States	393504	XNSTGCA	false
191.68.118.53	unknown	Colombia	26611	COMCELSACO	false
156.24.81.178	unknown	United States	29975	VODACOM-ZA	false
62.156.228.117	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
34.141.74.69	unknown	United States	2686	ATGS-MMD-ASUS	false
154.118.174.227	unknown	Mali	30985	IKATELNETML	false
17.83.16.172	unknown	United States	714	APPLE-ENGINEERINGUS	false
19.35.34.22	unknown	United States	3	MIT-GATEWAYSUS	false
219.43.181.12	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
206.155.137.26	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
119.98.22.197	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
250.139.144.230	unknown	Reserved	unknown	unknown	false
160.63.37.99	unknown	Switzerland	25031	NOVARTIS-CH	false
119.143.77.106	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
179.77.43.204	unknown	Brazil	26615	TIMSABR	false
207.138.188.246	unknown	United States	3549	LVLT-3549US	false
88.156.212.231	unknown	Poland	29314	VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL	false
39.237.94.34	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
71.118.210.182	unknown	United States	701	UUNETUS	false
67.186.82.247	unknown	United States	7922	COMCAST-7922US	false
169.35.183.186	unknown	Switzerland	37611	AfrihostZA	false
162.49.240.214	unknown	United States	35893	ACPCA	false
176.25.33.205	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
41.137.15.163	unknown	Morocco	36884	MAROCCONNECTMA	false
46.183.211.230	unknown	Poland	51996	MICROSTRATEGY_POLAND-ASPL	false
35.232.98.157	unknown	United States	15169	GOOGLEUS	false
97.202.183.139	unknown	United States	6167	CELLCO-PARTUS	false
115.44.238.221	unknown	China	17962	TOPWAY-NETShenZhenTopwayVideoCommunicationCoLtdCN	false
95.172.134.25	unknown	Russian Federation	60879	SYSTEMPROJECTS-ASKrasnoyarskRU	false
141.55.19.217	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
202.114.33.255	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
154.50.188.248	unknown	United States	174	COGENT-174US	false
161.234.123.194	unknown	Venezuela	396269	BPL-ASNUS	false
66.252.187.196	unknown	United States	25606	CPVCOMUS	false
243.82.211.65	unknown	Reserved	unknown	unknown	false
54.52.248.114	unknown	United States	14618	AMAZON-AESUS	false
206.244.4.20	unknown	United States	600	OARNET-ASUS	false
87.243.148.176	unknown	Austria	35370	AINET-ASAT	false
157.203.98.74	unknown	United Kingdom	1759	TSF-IP-CORETeliaFinlandOyjEU	false
95.156.28.222	unknown	Macedonia	6821	MT-AS-OWNbulOrceNikolovbbMK	false
164.105.204.209	unknown	United States	54060	POUDRESCHOOLDISTRICTUS	false
129.4.161.230	unknown	United States	1906	NORTHROP-GRUMMANUS	false
197.204.101.18	unknown	Algeria	36947	ALGTEL-ASDZ	false
113.122.67.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
250.197.76.186	unknown	Reserved	unknown	unknown	false
79.19.233.101	unknown	Italy	3269	ASN-IBSNAZIT	false
190.84.94.126	unknown	Colombia	10620	TelmexColombiaSACO	false
216.127.235.58	unknown	United States	3356	LEVEL3US	false
98.23.53.117	unknown	United States	7029	WINDSTREAMUS	false
32.212.93.213	unknown	United States	46690	SNET-FCCUS	false
82.66.137.156	unknown	France	12322	PROXADFR	false
142.130.66.40	unknown	Canada	13576	SDNW-13576US	false
185.0.80.136	unknown	unknown	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
43.87.148.114	unknown	Japan	4249	LILLY-ASUS	false
182.83.127.87	unknown	China	23771	SXBCTV-APSXBCTVInternetServiceProviderCN	false
84.190.75.150	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
44.52.114.166	unknown	United States	7377	UCSDUS	false
31.145.206.225	unknown	Turkey	15924	BORUSANTELEKOM-ASTR	false
129.7.118.186	unknown	United States	7276	UNIVERSITY-OF-HOUSTONUS	false
182.101.237.254	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
119.219.228.191	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
156.215.116.37	unknown	Egypt	8452	TE-ASTE-ASEG	false
62.233.213.0	unknown	Poland	12741	AS-NETIAWarszawa02-822PL	false
173.249.196.174	unknown	United States	11878	TZULOUS	false
198.227.253.234	unknown	United States	18933	USCC-MPLS01US	false
99.145.18.237	unknown	United States	7018	ATT-INTERNET4US	false
76.134.26.255	unknown	United States	7922	COMCAST-7922US	false
59.211.133.118	unknown	China	2516	KDDIKDDICORPORATIONJP	false
139.29.139.114	unknown	Germany	8767	MNET-ASGermanyDE	false
65.85.104.218	unknown	United States	18566	MEGAPATH5-US	false
38.79.169.249	unknown	United States	174	COGENT-174US	false
14.158.135.47	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
158.81.56.222	unknown	United States	16746	RELIANTENERGYUS	false
217.96.200.70	unknown	Poland	5617	TPNETPL	false
147.137.74.158	unknown	United States	20214	COMCAST-20214US	false
45.239.81.192	unknown	Brazil	268384	JCTELECOMBR	false
188.90.34.47	unknown	Netherlands	31615	TMO-NL-ASNL	false
39.207.89.158	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
165.7.64.57	unknown	United States	46512	UT-MEDICAL-CENTERUS	false
183.104.26.58	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
13.50.219.72	unknown	United States	16509	AMAZON-02US	false

AV Detection

Multi AV Scanner detection for submitted file

Source: oTdXpH4hrI	Virustotal: Detection: 50%			Perma Link
Source: oTdXpH4hrI	ReversingLabs: Detection: 58%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.27.182.36:23 -> 192.168.2.23:43438
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.27.182.36:23 -> 192.168.2.23:43438
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35172
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35172
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46324
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46324
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35204
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35204
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46378
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46378
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35266
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35266
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46396
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46396
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:32798
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:35302 -> 171.101.68.7:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48158
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46424
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46424
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35302
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35302
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:32870
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48188
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48204
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:32896
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48216
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46504
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46504
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35384
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48256
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46636
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46636
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33052
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48372
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:48372 -> 59.106.42.241:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35540
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35540
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38338
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48418
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46704
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46704
Source: Traffic	Snort IDS: 716 INFO TELNET access 59.106.42.241:23 -> 192.168.2.23:48446
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33126
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38386
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38386
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35614
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35614
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46750
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46750
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:33178 -> 14.205.71.245:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38432
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38432
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:35690 -> 171.101.68.7:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35690
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35690
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46818
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33222
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38470
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38470
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.170.93.178:23 -> 192.168.2.23:37092
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.170.93.178:23 -> 192.168.2.23:37092
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 195.242.232.60:23 -> 192.168.2.23:46868
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 195.242.232.60:23 -> 192.168.2.23:46868
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38518
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38518
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35746
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35746
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:33314 -> 14.205.71.245:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33314
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38566
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38566
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.205.71.245:23 -> 192.168.2.23:33332
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 171.101.68.7:23 -> 192.168.2.23:35806
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 171.101.68.7:23 -> 192.168.2.23:35806
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38594
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38594
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:43096 -> 113.69.138.27:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38666
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38666
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.170.93.178:23 -> 192.168.2.23:37294
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.170.93.178:23 -> 192.168.2.23:37294
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54376
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:54376 -> 211.210.93.93:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54376
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54376
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38718
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38718
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54414
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54414
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54414
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 88.97.39.118:23 -> 192.168.2.23:38748
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 88.97.39.118:23 -> 192.168.2.23:38748
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33122
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33122
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.247.156.224:23 -> 192.168.2.23:48824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.247.156.224:23 -> 192.168.2.23:48824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54496
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54496
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.170.93.178:23 -> 192.168.2.23:37460
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.170.93.178:23 -> 192.168.2.23:37460
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33248
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33248
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:54710
Source: Traffic	Snort IDS: 716 INFO TELNET access 210.86.160.30:23 -> 192.168.2.23:35598
Source: Traffic	Snort IDS: 716 INFO TELNET access 37.210.150.224:23 -> 192.168.2.23:38740
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33432
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33432
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 37.210.150.224:23 -> 192.168.2.23:38740
Source: Traffic	Snort IDS: 716 INFO TELNET access 189.109.99.86:23 -> 192.168.2.23:45562
Source: Traffic	Snort IDS: 2023436 ET TROJAN Possible Linux.Mirai Login Attempt (anko) 192.168.2.23:45340 -> 92.27.32.168:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.208.148.198:23 -> 192.168.2.23:35062
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.208.148.198:23 -> 192.168.2.23:35062
Source: Traffic	Snort IDS: 716 INFO TELNET access 183.87.82.70:23 -> 192.168.2.23:40016
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.40.199.178:23 -> 192.168.2.23:55972
Source: Traffic	Snort IDS: 716 INFO TELNET access 37.210.150.224:23 -> 192.168.2.23:38892
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 37.210.150.224:23 -> 192.168.2.23:38892
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.210.93.93:23 -> 192.168.2.23:55008
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.40.199.178:23 -> 192.168.2.23:55972
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.210.93.93:23 -> 192.168.2.23:55008
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.210.93.93:23 -> 192.168.2.23:55008
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 223.22.253.150:23 -> 192.168.2.23:50640
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 223.22.253.150:23 -> 192.168.2.23:50640
Source: Traffic	Snort IDS: 716 INFO TELNET access 37.210.150.224:23 -> 192.168.2.23:39048
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 109.248.224.142:23 -> 192.168.2.23:33684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 109.248.224.142:23 -> 192.168.2.23:33684
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.40.199.178:23 -> 192.168.2.23:56156
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 37.210.150.224:23 -> 192.168.2.23:39048
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 181.208.148.198:23 -> 192.168.2.23:35334
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 181.208.148.198:23 -> 192.168.2.23:35334
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 64.33.204.20:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 64.33.204.20:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.40.199.178:23 -> 192.168.2.23:56156
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.181.129.62:23 -> 192.168.2.23:50036
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.220.252.22:23 -> 192.168.2.23:60154

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:59584 -> 45.88.181.48:420

Sample listens on a socket

Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	Socket: 0.0.0.0::0	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.88.181.48
Source: unknown	TCP traffic detected without corresponding DNS query: 13.99.3.91
Source: unknown	TCP traffic detected without corresponding DNS query: 213.48.51.91
Source: unknown	TCP traffic detected without corresponding DNS query: 218.125.48.112
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.242.197
Source: unknown	TCP traffic detected without corresponding DNS query: 109.194.253.165
Source: unknown	TCP traffic detected without corresponding DNS query: 60.114.129.93
Source: unknown	TCP traffic detected without corresponding DNS query: 129.12.65.33
Source: unknown	TCP traffic detected without corresponding DNS query: 176.251.11.190
Source: unknown	TCP traffic detected without corresponding DNS query: 24.34.248.233
Source: unknown	TCP traffic detected without corresponding DNS query: 16.5.134.136
Source: unknown	TCP traffic detected without corresponding DNS query: 99.40.14.192
Source: unknown	TCP traffic detected without corresponding DNS query: 59.72.151.245
Source: unknown	TCP traffic detected without corresponding DNS query: 206.172.101.52
Source: unknown	TCP traffic detected without corresponding DNS query: 188.248.144.30
Source: unknown	TCP traffic detected without corresponding DNS query: 244.227.74.205
Source: unknown	TCP traffic detected without corresponding DNS query: 179.170.46.168
Source: unknown	TCP traffic detected without corresponding DNS query: 241.191.180.87
Source: unknown	TCP traffic detected without corresponding DNS query: 160.56.37.54
Source: unknown	TCP traffic detected without corresponding DNS query: 153.197.243.208
Source: unknown	TCP traffic detected without corresponding DNS query: 156.90.122.223
Source: unknown	TCP traffic detected without corresponding DNS query: 133.222.56.123
Source: unknown	TCP traffic detected without corresponding DNS query: 118.79.36.7
Source: unknown	TCP traffic detected without corresponding DNS query: 116.136.250.115
Source: unknown	TCP traffic detected without corresponding DNS query: 217.55.73.199
Source: unknown	TCP traffic detected without corresponding DNS query: 117.164.73.184
Source: unknown	TCP traffic detected without corresponding DNS query: 122.92.35.228
Source: unknown	TCP traffic detected without corresponding DNS query: 253.129.94.157
Source: unknown	TCP traffic detected without corresponding DNS query: 216.250.52.131
Source: unknown	TCP traffic detected without corresponding DNS query: 203.236.93.165
Source: unknown	TCP traffic detected without corresponding DNS query: 157.12.95.197
Source: unknown	TCP traffic detected without corresponding DNS query: 163.144.160.244
Source: unknown	TCP traffic detected without corresponding DNS query: 31.68.227.50
Source: unknown	TCP traffic detected without corresponding DNS query: 40.61.42.154
Source: unknown	TCP traffic detected without corresponding DNS query: 157.249.88.204
Source: unknown	TCP traffic detected without corresponding DNS query: 44.17.132.191
Source: unknown	TCP traffic detected without corresponding DNS query: 57.61.211.145
Source: unknown	TCP traffic detected without corresponding DNS query: 104.186.247.49
Source: unknown	TCP traffic detected without corresponding DNS query: 67.194.183.198
Source: unknown	TCP traffic detected without corresponding DNS query: 84.68.236.88
Source: unknown	TCP traffic detected without corresponding DNS query: 175.144.160.84
Source: unknown	TCP traffic detected without corresponding DNS query: 115.107.41.93
Source: unknown	TCP traffic detected without corresponding DNS query: 183.18.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 109.125.184.245
Source: unknown	TCP traffic detected without corresponding DNS query: 223.251.22.37
Source: unknown	TCP traffic detected without corresponding DNS query: 101.72.146.175
Source: unknown	TCP traffic detected without corresponding DNS query: 40.100.208.70
Source: unknown	TCP traffic detected without corresponding DNS query: 5.83.64.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.120.136
Source: unknown	TCP traffic detected without corresponding DNS query: 114.86.122.204

System Summary

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/oTdXpH4hrI (PID: 5224)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal64.troj.lin@0/0@0/0

Persistence and Installation Behavior

Enumerates processes within the "proc" file system

Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5230)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oTdXpH4hrI (PID: 5224)	File opened: /proc/904/fd	Jump to behavior

Malware Analysis System Evasion

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/oTdXpH4hrI (PID: 5222)

Queries kernel information via 'uname':

Jump to behavior

Source: oTdXpH4hrI, 5222.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5224.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5321.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5338.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5327.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5225.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5334.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5231.1.000000007605e787.000000009fa22cef.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: oTdXpH4hrI, 5222.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5224.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5321.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5338.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5327.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5225.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5334.1.000000007605e787.000000009fa22cef.rw-.sdmp, oTdXpH4hrI, 5231.1.000000007605e787.000000009fa22cef.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: oTdXpH4hrI, 5222.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5224.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5321.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5338.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5327.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5225.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5334.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5231.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp	Binary or memory string: ux86_64/usr/bin/qemu-mipsel/tmp/oTdXpH4hrISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/oTdXpH4hrI
Source: oTdXpH4hrI, 5222.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5224.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5321.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5338.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5327.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5225.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5334.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp, oTdXpH4hrI, 5231.1.0000000029ef6d05.00000000e9b6e899.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	557422
Product:	CloudBasic
Start time:	04:26:28
Start date:	21.01.2022
Sample:	oTdXpH4hrI
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	0dbe787e1b8ab7f004a55b418e3141c4
SHA1:	0506160d345965ffb7ffa6edb155ddfab10d1ae4
SHA256:	d7d2cab6f55b5b9b2bbd12911c450981eb6d84da22ef13ae1cf9b2d31a336b2d
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report oTdXpH4hrI

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
oTdXpH4hrI