Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32898 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32900 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32904 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32906 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32910 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32912 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32914 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32916 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32920 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32922 |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312 |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
Socket: 0.0.0.0::0 |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
Socket: 0.0.0.0::23 |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
Socket: 0.0.0.0::53413 |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
Socket: 0.0.0.0::80 |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
Socket: 0.0.0.0::52869 |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
Socket: 0.0.0.0::37215 |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
Socket: 0.0.0.0::0 |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.172.197.117 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 81.164.18.153 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 81.190.24.117 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 176.255.189.66 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 169.60.0.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.41.69.167 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 201.168.217.66 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 149.187.54.80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 186.229.17.36 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 156.122.41.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 162.43.188.92 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.219.143.79 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 73.215.253.205 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 177.247.14.87 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 170.218.61.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 176.229.196.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 160.98.192.57 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 73.77.195.60 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 199.95.0.73 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 19.142.189.170 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.248.85.9 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 254.184.255.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.22.122.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.34.193.211 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 135.200.206.144 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 114.223.243.18 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 164.189.145.57 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 220.108.224.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 167.206.70.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.7.20.188 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.156.199.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.61.30.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 186.241.155.185 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 223.30.162.238 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 251.194.244.233 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 253.171.246.232 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 35.50.253.208 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.130.38.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.193.251.221 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 199.100.229.31 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 253.77.247.140 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 68.103.221.205 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 213.182.0.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 77.175.88.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.30.15.218 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.61.201.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 60.220.22.152 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 19.32.126.236 |
Source: uuC6SqiHEK |
String found in binary or memory: http://upx.sf.net |
Source: LOAD without section mappings |
Program segment: 0x100000 |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
SIGKILL sent: pid: 936, result: successful |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
SIGKILL sent: pid: 936, result: successful |
Jump to behavior |
Source: classification engine |
Classification label: mal64.troj.evad.lin@0/0@0/0 |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $ |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/491/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/793/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/772/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/796/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/774/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/797/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/777/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/799/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/658/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/912/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/759/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/936/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/918/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/1/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/761/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/785/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/884/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/720/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/721/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/788/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/789/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/800/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/801/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/847/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6231) |
File opened: /proc/904/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/491/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/793/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/772/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/796/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/774/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/797/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/777/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/799/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/658/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/912/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/759/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/936/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/918/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/1/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/761/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/785/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/884/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/720/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/721/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/788/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/789/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/800/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/801/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/847/fd |
Jump to behavior |
Source: /tmp/uuC6SqiHEK (PID: 6225) |
File opened: /proc/904/fd |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32898 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32900 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32904 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32906 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32910 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32912 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32914 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32916 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32920 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 32922 |
Source: /tmp/uuC6SqiHEK (PID: 6223) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: uuC6SqiHEK, 6223.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mipsel |
Source: uuC6SqiHEK, 6223.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp |
Binary or memory string: #Zx86_64/usr/bin/qemu-mipsel/tmp/uuC6SqiHEKSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uuC6SqiHEK |
Source: uuC6SqiHEK, 6223.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/mipsel |
Source: uuC6SqiHEK, 6223.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mipsel |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: dump.pcap, type: PCAP |