Linux Analysis Report
IsQzUGbu7m

Overview

General Information

Sample Name:	IsQzUGbu7m
Analysis ID:	626493
MD5:	f7aa71fcfc26a997be27cbbcbefe0178
SHA1:	97e1d4f09e6452f51b069673b9a25b61e59e35a8
SHA256:	986ec0cf250a130140e912d37abd078d45a0ae03749db84f133d43d380c0ea78
Tags:	32elfmiraisparc
Infos:

Detection

Mirai

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: IsQzUGbu7m

Virustotal: Detection: 50%

Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44060
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44884
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44800
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44838
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44880
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46134
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46168
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46234
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46264
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46310
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46340
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46376
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52036

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Sample listens on a socket

Source: /tmp/IsQzUGbu7m (PID: 6235)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	Socket: 0.0.0.0::37215	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.26.149
Source: unknown	TCP traffic detected without corresponding DNS query: 72.176.227.158
Source: unknown	TCP traffic detected without corresponding DNS query: 145.240.131.5
Source: unknown	TCP traffic detected without corresponding DNS query: 212.112.175.12
Source: unknown	TCP traffic detected without corresponding DNS query: 81.182.152.203
Source: unknown	TCP traffic detected without corresponding DNS query: 76.166.153.29
Source: unknown	TCP traffic detected without corresponding DNS query: 104.137.71.145
Source: unknown	TCP traffic detected without corresponding DNS query: 118.51.19.207
Source: unknown	TCP traffic detected without corresponding DNS query: 9.124.78.196
Source: unknown	TCP traffic detected without corresponding DNS query: 18.113.38.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.190.96.73
Source: unknown	TCP traffic detected without corresponding DNS query: 246.192.251.239
Source: unknown	TCP traffic detected without corresponding DNS query: 116.78.119.81
Source: unknown	TCP traffic detected without corresponding DNS query: 202.136.235.247
Source: unknown	TCP traffic detected without corresponding DNS query: 116.187.69.12
Source: unknown	TCP traffic detected without corresponding DNS query: 31.2.93.252
Source: unknown	TCP traffic detected without corresponding DNS query: 196.18.142.193
Source: unknown	TCP traffic detected without corresponding DNS query: 72.214.248.45
Source: unknown	TCP traffic detected without corresponding DNS query: 153.153.244.240
Source: unknown	TCP traffic detected without corresponding DNS query: 113.173.204.100
Source: unknown	TCP traffic detected without corresponding DNS query: 241.254.59.246
Source: unknown	TCP traffic detected without corresponding DNS query: 165.238.35.244
Source: unknown	TCP traffic detected without corresponding DNS query: 39.113.51.236
Source: unknown	TCP traffic detected without corresponding DNS query: 72.157.59.232
Source: unknown	TCP traffic detected without corresponding DNS query: 47.174.234.169
Source: unknown	TCP traffic detected without corresponding DNS query: 194.185.174.186
Source: unknown	TCP traffic detected without corresponding DNS query: 173.159.22.86
Source: unknown	TCP traffic detected without corresponding DNS query: 196.118.234.121
Source: unknown	TCP traffic detected without corresponding DNS query: 180.66.37.195
Source: unknown	TCP traffic detected without corresponding DNS query: 72.91.152.195
Source: unknown	TCP traffic detected without corresponding DNS query: 100.48.208.186
Source: unknown	TCP traffic detected without corresponding DNS query: 124.202.200.248
Source: unknown	TCP traffic detected without corresponding DNS query: 19.186.225.227
Source: unknown	TCP traffic detected without corresponding DNS query: 60.131.156.196
Source: unknown	TCP traffic detected without corresponding DNS query: 200.74.78.189
Source: unknown	TCP traffic detected without corresponding DNS query: 218.6.181.33
Source: unknown	TCP traffic detected without corresponding DNS query: 66.60.220.247
Source: unknown	TCP traffic detected without corresponding DNS query: 193.205.99.14
Source: unknown	TCP traffic detected without corresponding DNS query: 99.206.2.88
Source: unknown	TCP traffic detected without corresponding DNS query: 90.166.185.88
Source: unknown	TCP traffic detected without corresponding DNS query: 181.74.224.48
Source: unknown	TCP traffic detected without corresponding DNS query: 198.175.72.235
Source: unknown	TCP traffic detected without corresponding DNS query: 20.80.238.203
Source: unknown	TCP traffic detected without corresponding DNS query: 156.240.217.32
Source: unknown	TCP traffic detected without corresponding DNS query: 99.205.40.193
Source: unknown	TCP traffic detected without corresponding DNS query: 135.98.94.210
Source: unknown	TCP traffic detected without corresponding DNS query: 247.243.0.194
Source: unknown	TCP traffic detected without corresponding DNS query: 112.205.216.169

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/IsQzUGbu7m (PID: 6235)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	SIGKILL sent: pid: 936, result: successful			Jump to behavior

Source: classification engine

Classification label: mal60.troj.lin@0/0@0/0

Enumerates processes within the "proc" file system

Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6241)	File opened: /proc/904/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/IsQzUGbu7m (PID: 6235)	File opened: /proc/904/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44060
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44884
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46700
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 47530
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44628
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44764
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44800
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44838
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44880
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46134
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46168
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46208
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46234
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46264
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46310
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46340
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46376
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46406
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 52036

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/IsQzUGbu7m (PID: 6233)

Queries kernel information via 'uname':

Jump to behavior

Source: IsQzUGbu7m, 6233.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6235.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6256.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6270.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6266.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6237.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6253.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6243.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: IsQzUGbu7m, 6233.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6235.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6256.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6270.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6266.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6237.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6253.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6243.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: IsQzUGbu7m, 6233.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6235.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6256.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6270.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6266.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6237.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6253.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6243.1.00000000961148e3.0000000065c7861b.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/IsQzUGbu7mSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IsQzUGbu7m
Source: IsQzUGbu7m, 6233.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6235.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6256.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6270.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6266.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6237.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6253.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6243.1.00000000961148e3.0000000065c7861b.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
126.210.129.153	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
248.164.9.96	unknown	Reserved	unknown	unknown	false
77.144.174.250	unknown	France	15557	LDCOMNETFR	false
32.143.225.45	unknown	United States	7018	ATT-INTERNET4US	false
66.35.8.87	unknown	United States	40033	RED-SPECTRUMUS	false
106.155.249.164	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
20.55.77.85	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
75.216.184.154	unknown	United States	22394	CELLCOUS	false
115.79.190.149	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
42.253.2.77	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
34.117.135.72	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
120.226.132.1	unknown	China	56047	CMNET-HUNAN-APChinaMobilecommunicationscorporationCN	false
13.175.156.143	unknown	United States	7018	ATT-INTERNET4US	false
135.103.97.236	unknown	United States	10455	LUCENT-CIOUS	false
12.50.176.179	unknown	United States	7018	ATT-INTERNET4US	false
17.28.6.77	unknown	United States	714	APPLE-ENGINEERINGUS	false
220.8.207.208	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
240.106.155.214	unknown	Reserved	unknown	unknown	false
155.27.126.3	unknown	United States	745	AFCONC-BLOCK2-ASUS	false
220.18.216.194	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
111.238.136.117	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
168.151.75.229	unknown	United States	204472	ROYALEASNDE	false
154.81.0.139	unknown	Seychelles	35916	MULTA-ASN1US	false
47.70.101.144	unknown	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
16.35.207.179	unknown	United States	unknown	unknown	false
202.33.85.184	unknown	Japan	4725	ODNSoftBankMobileCorpJP	false
255.11.160.128	unknown	Reserved	unknown	unknown	false
60.212.122.204	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
172.255.161.153	unknown	United States	395954	LEASEWEB-USA-LAX-11US	false
115.18.127.255	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
208.51.98.38	unknown	United States	10753	LVLT-10753US	false
177.146.70.182	unknown	Brazil	26599	TELEFONICABRASILSABR	false
44.252.140.191	unknown	United States	16509	AMAZON-02US	false
153.233.14.120	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
103.221.138.182	unknown	China	56209	RKINFRATEL-INRKINFRATELLIMITEDIN	false
216.48.63.57	unknown	United States	7029	WINDSTREAMUS	false
73.22.72.121	unknown	United States	7922	COMCAST-7922US	false
93.139.200.217	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
194.62.20.20	unknown	United Kingdom	58092	PAREXELDE	false
103.21.90.14	unknown	Malaysia	55720	GIGABIT-MYGigabitHostingSdnBhdMY	false
95.137.228.92	unknown	Georgia	34797	SYSTEM-NETGE	false
126.57.229.165	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
93.210.14.165	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
133.0.231.35	unknown	Japan	385	AFCONC-BLOCK1-ASUS	false
76.23.203.172	unknown	United States	7922	COMCAST-7922US	false
216.114.38.175	unknown	United States	17306	RISE-BROADBANDUS	false
123.88.124.250	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
39.120.100.75	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
198.156.62.130	unknown	United States	18676	AVAYAUS	false
5.204.247.38	unknown	Hungary	8448	PGSM-HUTorokbalintHungaryHU	false
1.31.36.230	unknown	China	139007	UNICOM-NM-WULANCHABU-IDCUNICOMInnerMongoliaprovincenetwo	false
159.118.81.38	unknown	United States	11492	CABLEONEUS	false
184.108.195.223	unknown	United States	7922	COMCAST-7922US	false
124.17.131.62	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
119.25.73.160	unknown	Japan	9617	ZAQJupiterTelecommunicationsCoLtdJP	false
112.221.18.251	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
59.97.56.221	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
219.116.5.217	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
108.22.174.0	unknown	United States	5650	FRONTIER-FRTRUS	false
118.28.46.34	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
126.244.178.203	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
184.53.64.108	unknown	United States	6621	HNS-DIRECPCUS	false
41.102.150.123	unknown	Algeria	36947	ALGTEL-ASDZ	false
158.169.254.131	unknown	Luxembourg	42848	EC-ASLU	false
190.159.114.159	unknown	Colombia	10620	TelmexColombiaSACO	false
246.182.90.20	unknown	Reserved	unknown	unknown	false
61.242.187.13	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
152.41.163.222	unknown	United States	22854	CATAWBA-COLLEGEUS	false
184.205.51.18	unknown	United States	10507	SPCSUS	false
70.77.213.159	unknown	Canada	6327	SHAWCA	false
31.113.156.206	unknown	United Kingdom	12576	EELtdGB	false
157.98.210.16	unknown	United States	3527	NIH-NETUS	false
38.156.61.229	unknown	United States	174	COGENT-174US	false
156.158.51.126	unknown	Tanzania United Republic of	37133	airtel-tz-asTZ	false
89.236.193.114	unknown	Uzbekistan	34718	TPSUZ-ASUZ	false
195.188.7.68	unknown	United Kingdom	5089	NTLGB	false
87.251.163.157	unknown	Russian Federation	5563	URALUralRegionalNetRU	false
113.91.231.215	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
173.81.206.128	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
147.26.91.88	unknown	United States	18777	TEXAS-STATE-UNIVERSITYUS	false
251.143.162.26	unknown	Reserved	unknown	unknown	false
183.125.44.195	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
173.7.4.46	unknown	United States	10507	SPCSUS	false
98.69.192.96	unknown	United States	7018	ATT-INTERNET4US	false
62.154.36.40	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
78.176.223.218	unknown	Turkey	9121	TTNETTR	false
38.83.59.55	unknown	United States	174	COGENT-174US	false
110.228.131.39	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
150.53.79.206	unknown	Japan	7522	STCNSTNetIncorporatedJP	false
46.56.82.223	unknown	Belarus	25106	MTSBY-ASBY	false
124.135.242.27	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
203.211.68.1	unknown	New Zealand	45177	DEVOLI-AS-APDevoliNZ	false
146.239.92.69	unknown	United States	2018	TENET-1ZA	false
130.10.80.11	unknown	United States	6908	DATAHOPDatahop-SixDegreesGB	false
165.146.217.125	unknown	South Africa	5713	SAIX-NETZA	false
36.70.76.239	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
91.105.101.227	unknown	Latvia	12578	APOLLO-ASLatviaLV	false
75.237.138.157	unknown	United States	22394	CELLCOUS	false
37.222.181.5	unknown	Spain	12430	VODAFONE_ESES	false
197.109.109.87	unknown	South Africa	37168	CELL-CZA	false

ID:	626493
Product:	CloudBasic
Start time:	04:48:01
Start date:	14.05.2022
Sample:	IsQzUGbu7m
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f7aa71fcfc26a997be27cbbcbefe0178
SHA1:	97e1d4f09e6452f51b069673b9a25b61e59e35a8
SHA256:	986ec0cf250a130140e912d37abd078d45a0ae03749db84f133d43d380c0ea78
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
IsQzUGbu7m

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report IsQzUGbu7m

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
IsQzUGbu7m