Linux Analysis Report
apL.mips-20220121-0317

Overview

General Information

Sample Name: apL.mips-20220121-0317
Analysis ID: 557427
MD5: 13e8ba90e042ab6bbc3821fad3cf1837
SHA1: c7dbaf4b95ad104e35570b287b74f8375f1e5d01
SHA256: 37b5a5d9d5ab50a8dff649678a9f10f26a5923186c97d1a623902b68e795abdc
Infos:

Detection

Mirai
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Deletes all firewall rules
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Tries to stop the "iptables" service
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes the "systemctl" command used for controlling the systemd system and service manager
Deletes log files
Executes the "iptables" command used for managing IP filtering and manipulation
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: apL.mips-20220121-0317 Virustotal: Detection: 27% Perma Link
Source: apL.mips-20220121-0317 ReversingLabs: Detection: 25%

Bitcoin Miner
barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5248) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5256) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5260) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/apL.mips-20220121-0317 (PID: 5216) Opens: /proc/net/route Jump to behavior

Networking
barindex
Deletes all firewall rules
Source: /bin/sh (PID: 5242) Args: iptables -F Jump to behavior
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 5265) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5265) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5274) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5275) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 60.220.215.198
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown TCP traffic detected without corresponding DNS query: 123.17.44.158
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 36.65.75.239
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: apL.mips-20220121-0317 String found in binary or memory: http://upx.sf.net
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2

System Summary
barindex
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: apL.mips-20220121-0317, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: classification engine Classification label: mal80.spre.troj.evad.linMIPS-20220121-0317@0/2@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior
barindex
Deletes all firewall rules
Source: /bin/sh (PID: 5242) Args: iptables -F Jump to behavior
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 5265) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5265) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5248) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 5256) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Source: /bin/sh (PID: 5260) Pkill executable: /usr/bin/pkill -> pkill -9 python Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/5140/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/5140/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1582/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1582/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/3088/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/3088/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1579/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1579/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1699/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1699/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1335/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1335/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1698/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1698/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1334/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1334/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1576/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1576/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/2302/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/2302/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/910/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/910/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/912/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/912/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/2307/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/2307/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/918/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/918/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/5033/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/5033/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1594/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1594/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1349/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1349/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5256) File opened: /proc/3/cmdline Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 5265) Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5268) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5270) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5278) Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service Jump to behavior
Source: /usr/sbin/service (PID: 5281) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5283) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5274) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5275) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/apL.mips-20220121-0317 (PID: 5224) Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5231) Shell command executed: sh -c "rm -rf /var/log/wtmp" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5234) Shell command executed: sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5237) Shell command executed: sh -c "rm -rf /bin/netstat" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5240) Shell command executed: sh -c "iptables -F" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5246) Shell command executed: sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5254) Shell command executed: sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5258) Shell command executed: sh -c "pkill -9 python" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5263) Shell command executed: sh -c "service iptables stop" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5272) Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5276) Shell command executed: sh -c "service firewalld stop" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5287) Shell command executed: sh -c "rm -rf ~/.bash_history" Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5290) Shell command executed: sh -c "history -c" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 5226) Rm executable: /usr/bin/rm -> rm -rf /tmp/apL.mips-20220121-0317 /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5 /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf Jump to behavior
Source: /bin/sh (PID: 5233) Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 5236) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 5239) Rm executable: /usr/bin/rm -> rm -rf /bin/netstat Jump to behavior
Source: /bin/sh (PID: 5289) Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history Jump to behavior
Source: /usr/bin/dash (PID: 5302) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5 Jump to behavior
Source: submitted sample Stderr: Failed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not found: exit code = 0
Source: /usr/sbin/service (PID: 5271) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5284) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 5226) File: /tmp/apL.mips-20220121-0317 Jump to behavior

Malware Analysis System Evasion
barindex
Deletes security-related log files
Source: /usr/bin/rm (PID: 5233) Truncated file: /var/log/wtmp Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5248) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5256) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5260) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/apL.mips-20220121-0317 (PID: 5216) Queries kernel information via 'uname': Jump to behavior
Deletes log files
Source: /usr/bin/rm (PID: 5233) Truncated file: /var/log/wtmp Jump to behavior
Source: apL.mips-20220121-0317, 5216.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000bdaea5af.00000000fc156366.rw-.sdmp Binary or memory string: 5V!/etc/qemu-binfmt/mips
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000e79fcff1.000000003a41f088.rw-.sdmp Binary or memory string: :XYx86_64/usr/bin/qemu-mips/tmp/apL.mips-20220121-0317SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/apL.mips-20220121-0317
Source: apL.mips-20220121-0317, 5216.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000bdaea5af.00000000fc156366.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000e79fcff1.000000003a41f088.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp Binary or memory string: 5V/tmp/qemu-open.JEqahA\
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp Binary or memory string: /tmp/qemu-open.JEqahA

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 5219.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5216.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5218.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 5219.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5216.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5218.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
123.178.234.190
 unknown China
4809 CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr false
36.65.75.239
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID false
192.236.160.175
 unknown United States
54290 HOSTWINDSUS false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
123.17.44.158
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
60.220.215.198
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false