Linux Analysis Report
oKukKTcgxV

Overview

General Information

Sample Name:	oKukKTcgxV
Analysis ID:	557425
MD5:	5ca61982c3626a6a6317eb28b301c00b
SHA1:	ffde6d29d70c9a8471f0b0c86ca1438662183e8a
SHA256:	e1250ce224b971ff719ba2532e2de4b317aa90a9f82ddc18843d5d7f9a2b6b39
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: oKukKTcgxV	Virustotal: Detection: 49%			Perma Link
Source: oKukKTcgxV	ReversingLabs: Detection: 55%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34252
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:34536 -> 163.20.8.254:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34322
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34322
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 41.139.199.98:23 -> 192.168.2.23:59412
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34428
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34450
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56472 -> 201.143.220.133:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.143.220.133:23 -> 192.168.2.23:56472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34450
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.13.63.210:23 -> 192.168.2.23:55314
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34472
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34498
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34554
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34554
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34594
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34594
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34636
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34636
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57254 -> 201.249.168.9:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:53540
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:53540
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49100
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56152 -> 210.10.143.115:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49132
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49314
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49350
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:49350 -> 119.112.222.99:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49390
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49470
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.148.45.209:23 -> 192.168.2.23:43770
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40488
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 83.148.236.126: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.225.224.254:23 -> 192.168.2.23:40780
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.225.224.254:23 -> 192.168.2.23:40780
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49536
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40550
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40580
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40610
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:55888
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40630
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49644
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40664
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40676
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:55888
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40708
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49798
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40810
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 47.181.103.153:23 -> 192.168.2.23:37648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 47.181.103.153:23 -> 192.168.2.23:37648
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56090
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46338
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.28.36.54:23 -> 192.168.2.23:58384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.28.36.54:23 -> 192.168.2.23:58384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56090
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:54428
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:54428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 36.65.75.239:23 -> 192.168.2.23:44246
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56190
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56190
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 716 INFO TELNET access 106.243.74.174:23 -> 192.168.2.23:43714
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 47.181.103.153:23 -> 192.168.2.23:37922
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 47.181.103.153:23 -> 192.168.2.23:37922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.28.36.54:23 -> 192.168.2.23:58668
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.28.36.54:23 -> 192.168.2.23:58668
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46634
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46634
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56272
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.87.68.118:23 -> 192.168.2.23:58160
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.87.68.118:23 -> 192.168.2.23:58160
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56272 -> 125.93.192.47:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.148.45.209:23 -> 192.168.2.23:44324
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56272

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44280
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44296
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48180
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48192
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48202
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41666
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41722
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60154
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60160
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60206

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:59584 -> 45.88.181.48:420

Sample listens on a socket

Source: /tmp/oKukKTcgxV (PID: 5220)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.88.181.48
Source: unknown	TCP traffic detected without corresponding DNS query: 207.113.52.250
Source: unknown	TCP traffic detected without corresponding DNS query: 201.70.4.250
Source: unknown	TCP traffic detected without corresponding DNS query: 76.236.252.105
Source: unknown	TCP traffic detected without corresponding DNS query: 58.226.131.74
Source: unknown	TCP traffic detected without corresponding DNS query: 105.233.1.110
Source: unknown	TCP traffic detected without corresponding DNS query: 151.55.201.50
Source: unknown	TCP traffic detected without corresponding DNS query: 138.213.114.78
Source: unknown	TCP traffic detected without corresponding DNS query: 197.96.89.107
Source: unknown	TCP traffic detected without corresponding DNS query: 40.42.3.64
Source: unknown	TCP traffic detected without corresponding DNS query: 197.93.170.176
Source: unknown	TCP traffic detected without corresponding DNS query: 147.255.122.60
Source: unknown	TCP traffic detected without corresponding DNS query: 164.199.129.100
Source: unknown	TCP traffic detected without corresponding DNS query: 163.180.126.127
Source: unknown	TCP traffic detected without corresponding DNS query: 164.25.83.183
Source: unknown	TCP traffic detected without corresponding DNS query: 162.179.224.235
Source: unknown	TCP traffic detected without corresponding DNS query: 60.243.149.221
Source: unknown	TCP traffic detected without corresponding DNS query: 31.189.66.165
Source: unknown	TCP traffic detected without corresponding DNS query: 126.164.233.51
Source: unknown	TCP traffic detected without corresponding DNS query: 180.71.167.183
Source: unknown	TCP traffic detected without corresponding DNS query: 139.177.81.128
Source: unknown	TCP traffic detected without corresponding DNS query: 162.248.239.245
Source: unknown	TCP traffic detected without corresponding DNS query: 85.124.192.213
Source: unknown	TCP traffic detected without corresponding DNS query: 179.221.149.60
Source: unknown	TCP traffic detected without corresponding DNS query: 34.90.84.202
Source: unknown	TCP traffic detected without corresponding DNS query: 206.121.154.70
Source: unknown	TCP traffic detected without corresponding DNS query: 39.193.246.9
Source: unknown	TCP traffic detected without corresponding DNS query: 12.228.206.205
Source: unknown	TCP traffic detected without corresponding DNS query: 251.179.20.180
Source: unknown	TCP traffic detected without corresponding DNS query: 8.141.61.249
Source: unknown	TCP traffic detected without corresponding DNS query: 180.51.22.138
Source: unknown	TCP traffic detected without corresponding DNS query: 27.144.21.206
Source: unknown	TCP traffic detected without corresponding DNS query: 34.39.144.126
Source: unknown	TCP traffic detected without corresponding DNS query: 203.135.193.89
Source: unknown	TCP traffic detected without corresponding DNS query: 98.253.228.202
Source: unknown	TCP traffic detected without corresponding DNS query: 60.25.233.210
Source: unknown	TCP traffic detected without corresponding DNS query: 220.201.185.122
Source: unknown	TCP traffic detected without corresponding DNS query: 91.34.6.106
Source: unknown	TCP traffic detected without corresponding DNS query: 170.194.232.15
Source: unknown	TCP traffic detected without corresponding DNS query: 90.45.224.213
Source: unknown	TCP traffic detected without corresponding DNS query: 213.192.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 92.145.29.117
Source: unknown	TCP traffic detected without corresponding DNS query: 133.76.106.179
Source: unknown	TCP traffic detected without corresponding DNS query: 43.249.194.223
Source: unknown	TCP traffic detected without corresponding DNS query: 9.116.56.236
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.133.22
Source: unknown	TCP traffic detected without corresponding DNS query: 107.148.165.246
Source: unknown	TCP traffic detected without corresponding DNS query: 16.27.229.69
Source: unknown	TCP traffic detected without corresponding DNS query: 88.166.126.226
Source: unknown	TCP traffic detected without corresponding DNS query: 195.148.16.89

System Summary

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/oKukKTcgxV (PID: 5220)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal68.troj.lin@0/0@0/0

Persistence and Installation Behavior

Enumerates processes within the "proc" file system

Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/904/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44280
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44296
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48180
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48192
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48202
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41666
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41722
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60154
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60160
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60206

Malware Analysis System Evasion

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/oKukKTcgxV (PID: 5218)

Queries kernel information via 'uname':

Jump to behavior

Source: oKukKTcgxV, 5218.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5220.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5318.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5335.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5328.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5221.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5319.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5227.1.000000001b10963a.00000000395e0ea2.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: oKukKTcgxV, 5218.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5220.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5318.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5335.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5328.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5221.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5319.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5227.1.000000001b10963a.00000000395e0ea2.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/oKukKTcgxVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/oKukKTcgxV
Source: oKukKTcgxV, 5218.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5220.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5318.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5335.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5328.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5221.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5319.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5227.1.0000000046d61b23.0000000064d68725.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: oKukKTcgxV, 5218.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5220.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5318.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5335.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5328.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5221.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5319.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5227.1.0000000046d61b23.0000000064d68725.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.178.105.232	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
201.238.73.157	unknown	Trinidad and Tobago	5639	TelecommunicationServicesofTrinidadandTobagoTT	false
98.45.237.215	unknown	United States	7922	COMCAST-7922US	false
61.238.120.145	unknown	Hong Kong	10103	HKBN-AS-APHKBroadbandNetworkLtdHK	false
87.90.192.199	unknown	France	5410	BOUYGTEL-ISPFR	false
24.163.73.173	unknown	United States	11426	TWC-11426-CAROLINASUS	false
208.7.208.76	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
160.20.71.196	unknown	Brazil	266146	I9TelecomBR	false
220.242.193.145	unknown	China	54994	QUANTILNETWORKSUS	false
158.56.76.54	unknown	United States	32577	KROGERUS	false
162.138.241.67	unknown	United States	26229	US-SECUS	false
31.63.90.209	unknown	Poland	5617	TPNETPL	false
115.163.3.19	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
254.126.128.179	unknown	Reserved	unknown	unknown	false
17.246.210.159	unknown	United States	714	APPLE-ENGINEERINGUS	false
125.138.168.93	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
188.98.111.150	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
73.193.212.197	unknown	United States	7922	COMCAST-7922US	false
174.49.111.97	unknown	United States	7922	COMCAST-7922US	false
94.58.218.209	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
253.206.239.115	unknown	Reserved	unknown	unknown	false
45.145.30.151	unknown	Turkey	197328	INETLTDTR	false
117.119.192.198	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
1.168.57.177	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
17.34.22.45	unknown	United States	714	APPLE-ENGINEERINGUS	false
46.93.81.106	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
219.115.43.189	unknown	Japan	9617	ZAQJupiterTelecommunicationsCoLtdJP	false
124.67.174.18	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
4.166.177.80	unknown	United States	3356	LEVEL3US	false
73.115.126.227	unknown	United States	7922	COMCAST-7922US	false
46.202.131.132	unknown	Ukraine	6877	AS6877UA	false
20.3.3.115	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
120.139.14.125	unknown	Malaysia	38322	WEBE-MY-AS-APWEBEDIGITALSDNBHDMY	false
94.159.171.133	unknown	Israel	12400	PARTNER-ASIL	false
240.22.210.193	unknown	Reserved	unknown	unknown	false
78.67.219.214	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
18.208.17.53	unknown	United States	14618	AMAZON-AESUS	false
221.8.138.8	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
73.125.49.108	unknown	United States	7922	COMCAST-7922US	false
123.72.218.85	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
141.179.178.73	unknown	Saudi Arabia	197921	HBTFJO	false
162.129.150.111	unknown	United States	5723	JHUUS	false
179.29.8.245	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
203.239.210.179	unknown	Korea Republic of	9524	HMC-ASAutoEverSystemsCorpKR	false
59.216.130.118	unknown	China	2516	KDDIKDDICORPORATIONJP	false
105.181.97.103	unknown	Egypt	37069	MOBINILEG	false
48.142.166.164	unknown	United States	2686	ATGS-MMD-ASUS	false
177.180.36.51	unknown	Brazil	28573	CLAROSABR	false
69.17.129.60	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
210.65.20.211	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
146.158.247.125	unknown	Spain	12479	UNI2-ASES	false
243.125.138.235	unknown	Reserved	unknown	unknown	false
198.15.24.95	unknown	unknown	53823	SMTAUS	false
172.89.139.42	unknown	United States	20001	TWC-20001-PACWESTUS	false
254.252.138.151	unknown	Reserved	unknown	unknown	false
103.29.16.191	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
39.156.153.72	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
136.76.251.132	unknown	United States	60311	ONEFMCH	false
97.46.211.173	unknown	United States	22394	CELLCOUS	false
248.15.245.77	unknown	Reserved	unknown	unknown	false
196.233.130.49	unknown	Tunisia	37492	ORANGE-TN	false
151.179.132.97	unknown	United States	45025	EDN-ASUA	false
179.3.182.229	unknown	Chile	27836	SmartcomCL	false
203.82.90.135	unknown	Malaysia	10030	CELCOMNET-APCelcomAxiataBerhadMY	false
47.142.207.252	unknown	United States	5650	FRONTIER-FRTRUS	false
60.53.67.247	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
87.173.108.228	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
5.149.171.110	unknown	Ireland	199256	LTH-ASIE	false
156.55.53.187	unknown	United States	22146	LANDAMUS	false
36.208.187.89	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
34.225.88.139	unknown	United States	14618	AMAZON-AESUS	false
61.255.138.227	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
180.73.236.247	unknown	Malaysia	38322	WEBE-MY-AS-APWEBEDIGITALSDNBHDMY	false
24.138.125.167	unknown	Canada	5690	VIANET-NOCA	false
219.205.35.83	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
200.26.11.61	unknown	Argentina	10834	TelefonicadeArgentinaAR	false
114.195.229.235	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	false
149.120.38.127	unknown	United States	174	COGENT-174US	false
88.61.50.242	unknown	Italy	3269	ASN-IBSNAZIT	false
80.236.69.38	unknown	France	21502	ASN-NUMERICABLEFR	false
182.101.83.74	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
152.204.126.179	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
111.105.27.147	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
254.79.34.34	unknown	Reserved	unknown	unknown	false
255.108.231.35	unknown	Reserved	unknown	unknown	false
57.242.191.202	unknown	Belgium	2686	ATGS-MMD-ASUS	false
159.249.187.130	unknown	United States	29899	GEISINGERUS	false
63.175.2.187	unknown	United States	18618	WCENTRALNUS	false
47.148.105.15	unknown	United States	5650	FRONTIER-FRTRUS	false
35.45.255.30	unknown	United States	36375	UMICH-AS-5US	false
216.224.252.94	unknown	United States	39948	INIT-PHXUS	false
246.77.91.71	unknown	Reserved	unknown	unknown	false
197.231.80.80	unknown	Gabon	37582	ANINFGA	false
172.114.8.196	unknown	United States	20001	TWC-20001-PACWESTUS	false
222.198.149.227	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
179.154.27.220	unknown	Brazil	28573	CLAROSABR	false
189.225.7.203	unknown	Mexico	8151	UninetSAdeCVMX	false
110.111.162.76	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
176.199.129.103	unknown	Germany	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
47.136.192.219	unknown	United States	5650	FRONTIER-FRTRUS	false

AV Detection

Multi AV Scanner detection for submitted file

Source: oKukKTcgxV	Virustotal: Detection: 49%			Perma Link
Source: oKukKTcgxV	ReversingLabs: Detection: 55%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34252
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:34536 -> 163.20.8.254:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34322
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34322
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 41.139.199.98:23 -> 192.168.2.23:59412
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34428
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34450
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56472 -> 201.143.220.133:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.143.220.133:23 -> 192.168.2.23:56472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34450
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.13.63.210:23 -> 192.168.2.23:55314
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34472
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34498
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34554
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34554
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34594
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34594
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34636
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34636
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57254 -> 201.249.168.9:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:53540
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:53540
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49100
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56152 -> 210.10.143.115:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49132
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49314
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49350
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:49350 -> 119.112.222.99:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49390
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49470
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.148.45.209:23 -> 192.168.2.23:43770
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40488
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 83.148.236.126: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.225.224.254:23 -> 192.168.2.23:40780
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.225.224.254:23 -> 192.168.2.23:40780
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49536
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40550
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40580
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40610
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:55888
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40630
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49644
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40664
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40676
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:55888
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40708
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49798
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40810
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 47.181.103.153:23 -> 192.168.2.23:37648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 47.181.103.153:23 -> 192.168.2.23:37648
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56090
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46338
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.28.36.54:23 -> 192.168.2.23:58384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.28.36.54:23 -> 192.168.2.23:58384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56090
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:54428
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:54428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 36.65.75.239:23 -> 192.168.2.23:44246
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56190
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56190
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 716 INFO TELNET access 106.243.74.174:23 -> 192.168.2.23:43714
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 47.181.103.153:23 -> 192.168.2.23:37922
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 47.181.103.153:23 -> 192.168.2.23:37922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.28.36.54:23 -> 192.168.2.23:58668
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.28.36.54:23 -> 192.168.2.23:58668
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46634
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46634
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56272
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.87.68.118:23 -> 192.168.2.23:58160
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.87.68.118:23 -> 192.168.2.23:58160
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56272 -> 125.93.192.47:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.148.45.209:23 -> 192.168.2.23:44324
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56272

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44280
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44296
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48180
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48192
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48202
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41666
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41722
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60154
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60160
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60206

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:59584 -> 45.88.181.48:420

Sample listens on a socket

Source: /tmp/oKukKTcgxV (PID: 5220)	Socket: 0.0.0.0::0			Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.88.181.48
Source: unknown	TCP traffic detected without corresponding DNS query: 207.113.52.250
Source: unknown	TCP traffic detected without corresponding DNS query: 201.70.4.250
Source: unknown	TCP traffic detected without corresponding DNS query: 76.236.252.105
Source: unknown	TCP traffic detected without corresponding DNS query: 58.226.131.74
Source: unknown	TCP traffic detected without corresponding DNS query: 105.233.1.110
Source: unknown	TCP traffic detected without corresponding DNS query: 151.55.201.50
Source: unknown	TCP traffic detected without corresponding DNS query: 138.213.114.78
Source: unknown	TCP traffic detected without corresponding DNS query: 197.96.89.107
Source: unknown	TCP traffic detected without corresponding DNS query: 40.42.3.64
Source: unknown	TCP traffic detected without corresponding DNS query: 197.93.170.176
Source: unknown	TCP traffic detected without corresponding DNS query: 147.255.122.60
Source: unknown	TCP traffic detected without corresponding DNS query: 164.199.129.100
Source: unknown	TCP traffic detected without corresponding DNS query: 163.180.126.127
Source: unknown	TCP traffic detected without corresponding DNS query: 164.25.83.183
Source: unknown	TCP traffic detected without corresponding DNS query: 162.179.224.235
Source: unknown	TCP traffic detected without corresponding DNS query: 60.243.149.221
Source: unknown	TCP traffic detected without corresponding DNS query: 31.189.66.165
Source: unknown	TCP traffic detected without corresponding DNS query: 126.164.233.51
Source: unknown	TCP traffic detected without corresponding DNS query: 180.71.167.183
Source: unknown	TCP traffic detected without corresponding DNS query: 139.177.81.128
Source: unknown	TCP traffic detected without corresponding DNS query: 162.248.239.245
Source: unknown	TCP traffic detected without corresponding DNS query: 85.124.192.213
Source: unknown	TCP traffic detected without corresponding DNS query: 179.221.149.60
Source: unknown	TCP traffic detected without corresponding DNS query: 34.90.84.202
Source: unknown	TCP traffic detected without corresponding DNS query: 206.121.154.70
Source: unknown	TCP traffic detected without corresponding DNS query: 39.193.246.9
Source: unknown	TCP traffic detected without corresponding DNS query: 12.228.206.205
Source: unknown	TCP traffic detected without corresponding DNS query: 251.179.20.180
Source: unknown	TCP traffic detected without corresponding DNS query: 8.141.61.249
Source: unknown	TCP traffic detected without corresponding DNS query: 180.51.22.138
Source: unknown	TCP traffic detected without corresponding DNS query: 27.144.21.206
Source: unknown	TCP traffic detected without corresponding DNS query: 34.39.144.126
Source: unknown	TCP traffic detected without corresponding DNS query: 203.135.193.89
Source: unknown	TCP traffic detected without corresponding DNS query: 98.253.228.202
Source: unknown	TCP traffic detected without corresponding DNS query: 60.25.233.210
Source: unknown	TCP traffic detected without corresponding DNS query: 220.201.185.122
Source: unknown	TCP traffic detected without corresponding DNS query: 91.34.6.106
Source: unknown	TCP traffic detected without corresponding DNS query: 170.194.232.15
Source: unknown	TCP traffic detected without corresponding DNS query: 90.45.224.213
Source: unknown	TCP traffic detected without corresponding DNS query: 213.192.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 92.145.29.117
Source: unknown	TCP traffic detected without corresponding DNS query: 133.76.106.179
Source: unknown	TCP traffic detected without corresponding DNS query: 43.249.194.223
Source: unknown	TCP traffic detected without corresponding DNS query: 9.116.56.236
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.133.22
Source: unknown	TCP traffic detected without corresponding DNS query: 107.148.165.246
Source: unknown	TCP traffic detected without corresponding DNS query: 16.27.229.69
Source: unknown	TCP traffic detected without corresponding DNS query: 88.166.126.226
Source: unknown	TCP traffic detected without corresponding DNS query: 195.148.16.89

System Summary

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/oKukKTcgxV (PID: 5220)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal68.troj.lin@0/0@0/0

Persistence and Installation Behavior

Enumerates processes within the "proc" file system

Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/904/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44280
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44296
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48180
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48192
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48202
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41666
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41722
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60154
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60160
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60206

Malware Analysis System Evasion

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/oKukKTcgxV (PID: 5218)

Queries kernel information via 'uname':

Jump to behavior

Source: oKukKTcgxV, 5218.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5220.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5318.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5335.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5328.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5221.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5319.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5227.1.000000001b10963a.00000000395e0ea2.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: oKukKTcgxV, 5218.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5220.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5318.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5335.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5328.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5221.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5319.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5227.1.000000001b10963a.00000000395e0ea2.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/oKukKTcgxVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/oKukKTcgxV
Source: oKukKTcgxV, 5218.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5220.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5318.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5335.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5328.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5221.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5319.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5227.1.0000000046d61b23.0000000064d68725.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: oKukKTcgxV, 5218.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5220.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5318.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5335.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5328.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5221.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5319.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5227.1.0000000046d61b23.0000000064d68725.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

ID:	557425
Product:	CloudBasic
Start time:	04:37:19
Start date:	21.01.2022
Sample:	oKukKTcgxV
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	5ca61982c3626a6a6317eb28b301c00b
SHA1:	ffde6d29d70c9a8471f0b0c86ca1438662183e8a
SHA256:	e1250ce224b971ff719ba2532e2de4b317aa90a9f82ddc18843d5d7f9a2b6b39
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report oKukKTcgxV

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
oKukKTcgxV