Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
csqe8VS0YI

Overview

General Information

Sample Name:csqe8VS0YI
Analysis ID:626473
MD5:beae05ed2e1e2189d5f44fe5fe95111a
SHA1:ad4d569675210467533e6093f3b13f805c860a28
SHA256:a5cb465d21d9171b83bbbb658bbea9c875e421e37603f5e576c6387570fed6c6
Tags:32elfmiraimotorola
Infos:

Detection

Mirai
Score:60
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:626473
Start date and time: 14/05/202204:14:292022-05-14 04:14:29 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 41s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:csqe8VS0YI
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal60.troj.lin@0/0@0/0
  • Report size exceeded maximum capacity and may have missing network information.
Command:/tmp/csqe8VS0YI
PID:6230
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: csqe8VS0YIVirustotal: Detection: 54%Perma Link

    Networking

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58834
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58842
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58844
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58848
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58858
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58864
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58868
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58870
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58874
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58876
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36090
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36092
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36094
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36098
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36100
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36104
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36108
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36110
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36112
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36118
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46728
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46730
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46732
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46734
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46738
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46744
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46756
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46768
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46780
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46782
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37450
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37456
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37464
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37484
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37498
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37502
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37510
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37520
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37532
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 49996
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50000
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50006
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50008
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50012
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50016
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50018
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50026
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50028
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50030
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312
    Source: /tmp/csqe8VS0YI (PID: 6232)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)Socket: 0.0.0.0::0Jump to behavior
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 107.172.197.117
    Source: unknownTCP traffic detected without corresponding DNS query: 13.0.164.21
    Source: unknownTCP traffic detected without corresponding DNS query: 109.74.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 91.146.53.149
    Source: unknownTCP traffic detected without corresponding DNS query: 200.3.132.206
    Source: unknownTCP traffic detected without corresponding DNS query: 40.130.28.180
    Source: unknownTCP traffic detected without corresponding DNS query: 57.50.234.50
    Source: unknownTCP traffic detected without corresponding DNS query: 84.225.48.252
    Source: unknownTCP traffic detected without corresponding DNS query: 87.116.152.152
    Source: unknownTCP traffic detected without corresponding DNS query: 16.40.254.63
    Source: unknownTCP traffic detected without corresponding DNS query: 109.221.53.232
    Source: unknownTCP traffic detected without corresponding DNS query: 125.158.147.235
    Source: unknownTCP traffic detected without corresponding DNS query: 180.235.64.76
    Source: unknownTCP traffic detected without corresponding DNS query: 119.114.96.176
    Source: unknownTCP traffic detected without corresponding DNS query: 254.156.93.201
    Source: unknownTCP traffic detected without corresponding DNS query: 200.12.231.204
    Source: unknownTCP traffic detected without corresponding DNS query: 170.237.5.40
    Source: unknownTCP traffic detected without corresponding DNS query: 20.137.109.105
    Source: unknownTCP traffic detected without corresponding DNS query: 12.150.146.55
    Source: unknownTCP traffic detected without corresponding DNS query: 155.29.204.24
    Source: unknownTCP traffic detected without corresponding DNS query: 188.213.44.241
    Source: unknownTCP traffic detected without corresponding DNS query: 249.23.145.34
    Source: unknownTCP traffic detected without corresponding DNS query: 200.18.228.173
    Source: unknownTCP traffic detected without corresponding DNS query: 75.41.202.169
    Source: unknownTCP traffic detected without corresponding DNS query: 126.105.222.202
    Source: unknownTCP traffic detected without corresponding DNS query: 153.70.148.14
    Source: unknownTCP traffic detected without corresponding DNS query: 23.23.94.132
    Source: unknownTCP traffic detected without corresponding DNS query: 65.213.102.187
    Source: unknownTCP traffic detected without corresponding DNS query: 207.168.78.221
    Source: unknownTCP traffic detected without corresponding DNS query: 48.40.215.16
    Source: unknownTCP traffic detected without corresponding DNS query: 240.52.146.115
    Source: unknownTCP traffic detected without corresponding DNS query: 92.232.247.111
    Source: unknownTCP traffic detected without corresponding DNS query: 196.172.39.72
    Source: unknownTCP traffic detected without corresponding DNS query: 178.149.134.76
    Source: unknownTCP traffic detected without corresponding DNS query: 126.44.231.157
    Source: unknownTCP traffic detected without corresponding DNS query: 141.194.26.246
    Source: unknownTCP traffic detected without corresponding DNS query: 87.78.65.88
    Source: unknownTCP traffic detected without corresponding DNS query: 219.200.159.231
    Source: unknownTCP traffic detected without corresponding DNS query: 170.246.202.65
    Source: unknownTCP traffic detected without corresponding DNS query: 59.36.111.29
    Source: unknownTCP traffic detected without corresponding DNS query: 200.244.143.83
    Source: unknownTCP traffic detected without corresponding DNS query: 216.72.26.76
    Source: unknownTCP traffic detected without corresponding DNS query: 60.205.3.37
    Source: unknownTCP traffic detected without corresponding DNS query: 174.243.166.20
    Source: unknownTCP traffic detected without corresponding DNS query: 121.65.191.75
    Source: unknownTCP traffic detected without corresponding DNS query: 247.197.213.37
    Source: unknownTCP traffic detected without corresponding DNS query: 60.139.134.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.182.241.250
    Source: unknownTCP traffic detected without corresponding DNS query: 191.61.152.28
    Source: unknownTCP traffic detected without corresponding DNS query: 251.42.123.253
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: /tmp/csqe8VS0YI (PID: 6232)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: classification engineClassification label: mal60.troj.lin@0/0@0/0
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/491/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/793/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/772/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/796/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/774/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/797/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/777/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/799/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/658/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/912/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/759/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/936/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/918/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/1/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/761/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/785/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/884/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/720/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/721/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/788/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/789/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/800/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/801/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/847/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6232)File opened: /proc/904/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/491/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/793/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/772/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/796/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/774/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/797/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/777/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/799/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/658/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/912/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/759/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/936/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/918/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/1/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/761/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/785/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/884/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/720/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/721/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/788/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/789/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/800/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/801/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/847/fdJump to behavior
    Source: /tmp/csqe8VS0YI (PID: 6238)File opened: /proc/904/fdJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58834
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58842
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58844
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58848
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58858
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58864
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58868
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58870
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58874
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 58876
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36090
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36092
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36094
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36098
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36100
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36104
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36108
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36110
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36112
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 36118
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46728
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46730
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46732
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46734
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46738
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46744
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46756
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46768
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46780
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46782
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37450
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37456
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37464
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37484
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37498
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37502
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37510
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37520
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 37532
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 49996
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50000
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50006
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50008
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50012
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50016
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50018
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50026
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50028
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50030
    Source: /tmp/csqe8VS0YI (PID: 6230)Queries kernel information via 'uname': Jump to behavior
    Source: csqe8VS0YI, 6230.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6232.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6329.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6347.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6335.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6233.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6340.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6239.1.000000002ca05d23.00000000ffe813ce.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/m68k
    Source: csqe8VS0YI, 6230.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6232.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6329.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6347.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6335.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6233.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6340.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6239.1.000000008aa52aac.000000001b30196b.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
    Source: csqe8VS0YI, 6230.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6232.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6329.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6347.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6335.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6233.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6340.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6239.1.000000002ca05d23.00000000ffe813ce.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
    Source: csqe8VS0YI, 6230.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6232.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6329.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6347.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6335.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6233.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6340.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6239.1.000000008aa52aac.000000001b30196b.rw-.sdmpBinary or memory string: Piyx86_64/usr/bin/qemu-m68k/tmp/csqe8VS0YISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/csqe8VS0YI

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
    OS Credential Dumping
    11
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
    Non-Standard Port
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626473 Sample: csqe8VS0YI Startdate: 14/05/2022 Architecture: LINUX Score: 60 42 209.252.203.215, 23 WINDSTREAMUS United States 2->42 44 193.240.171.255 WEST-IP-COMMUNICATIONSUS United Kingdom 2->44 46 98 other IPs or domains 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Mirai 2->50 52 Uses known network protocols on non-standard ports 2->52 10 csqe8VS0YI 2->10         started        signatures3 process4 process5 12 csqe8VS0YI 10->12         started        14 csqe8VS0YI 10->14         started        16 csqe8VS0YI 10->16         started        process6 18 csqe8VS0YI 12->18         started        20 csqe8VS0YI 12->20         started        22 csqe8VS0YI 14->22         started        24 csqe8VS0YI 14->24         started        26 csqe8VS0YI 14->26         started        process7 28 csqe8VS0YI 18->28         started        30 csqe8VS0YI 18->30         started        32 csqe8VS0YI 18->32         started        34 csqe8VS0YI 22->34         started        36 csqe8VS0YI 22->36         started        process8 38 csqe8VS0YI 28->38         started        40 csqe8VS0YI 28->40         started       
    SourceDetectionScannerLabelLink
    csqe8VS0YI54%VirustotalBrowse
    No Antivirus matches
    No Antivirus matches