Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
IsQzUGbu7m

Overview

General Information

Sample Name:IsQzUGbu7m
Analysis ID:626493
MD5:f7aa71fcfc26a997be27cbbcbefe0178
SHA1:97e1d4f09e6452f51b069673b9a25b61e59e35a8
SHA256:986ec0cf250a130140e912d37abd078d45a0ae03749db84f133d43d380c0ea78
Tags:32elfmiraisparc
Infos:

Detection

Mirai
Score:60
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:626493
Start date and time: 14/05/202204:48:012022-05-14 04:48:01 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:IsQzUGbu7m
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal60.troj.lin@0/0@0/0
  • Report size exceeded maximum capacity and may have missing network information.
Command:/tmp/IsQzUGbu7m
PID:6233
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: IsQzUGbu7mVirustotal: Detection: 50%Perma Link

    Networking

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44060
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44884
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45824
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46700
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47530
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44562
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44600
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44628
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44660
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44696
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44734
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44764
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44800
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44838
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44880
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 48480
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46134
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46168
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46208
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46234
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46264
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46286
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46310
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46340
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46376
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46406
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 49378
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50284
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51190
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 52036
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312
    Source: /tmp/IsQzUGbu7m (PID: 6235)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)Socket: 0.0.0.0::23Jump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)Socket: 0.0.0.0::53413Jump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)Socket: 0.0.0.0::80Jump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)Socket: 0.0.0.0::52869Jump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)Socket: 0.0.0.0::37215Jump to behavior
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 107.172.197.117
    Source: unknownTCP traffic detected without corresponding DNS query: 91.160.26.149
    Source: unknownTCP traffic detected without corresponding DNS query: 72.176.227.158
    Source: unknownTCP traffic detected without corresponding DNS query: 145.240.131.5
    Source: unknownTCP traffic detected without corresponding DNS query: 212.112.175.12
    Source: unknownTCP traffic detected without corresponding DNS query: 81.182.152.203
    Source: unknownTCP traffic detected without corresponding DNS query: 76.166.153.29
    Source: unknownTCP traffic detected without corresponding DNS query: 104.137.71.145
    Source: unknownTCP traffic detected without corresponding DNS query: 118.51.19.207
    Source: unknownTCP traffic detected without corresponding DNS query: 9.124.78.196
    Source: unknownTCP traffic detected without corresponding DNS query: 18.113.38.234
    Source: unknownTCP traffic detected without corresponding DNS query: 45.190.96.73
    Source: unknownTCP traffic detected without corresponding DNS query: 246.192.251.239
    Source: unknownTCP traffic detected without corresponding DNS query: 116.78.119.81
    Source: unknownTCP traffic detected without corresponding DNS query: 202.136.235.247
    Source: unknownTCP traffic detected without corresponding DNS query: 116.187.69.12
    Source: unknownTCP traffic detected without corresponding DNS query: 31.2.93.252
    Source: unknownTCP traffic detected without corresponding DNS query: 196.18.142.193
    Source: unknownTCP traffic detected without corresponding DNS query: 72.214.248.45
    Source: unknownTCP traffic detected without corresponding DNS query: 153.153.244.240
    Source: unknownTCP traffic detected without corresponding DNS query: 113.173.204.100
    Source: unknownTCP traffic detected without corresponding DNS query: 241.254.59.246
    Source: unknownTCP traffic detected without corresponding DNS query: 165.238.35.244
    Source: unknownTCP traffic detected without corresponding DNS query: 39.113.51.236
    Source: unknownTCP traffic detected without corresponding DNS query: 72.157.59.232
    Source: unknownTCP traffic detected without corresponding DNS query: 47.174.234.169
    Source: unknownTCP traffic detected without corresponding DNS query: 194.185.174.186
    Source: unknownTCP traffic detected without corresponding DNS query: 173.159.22.86
    Source: unknownTCP traffic detected without corresponding DNS query: 196.118.234.121
    Source: unknownTCP traffic detected without corresponding DNS query: 180.66.37.195
    Source: unknownTCP traffic detected without corresponding DNS query: 72.91.152.195
    Source: unknownTCP traffic detected without corresponding DNS query: 100.48.208.186
    Source: unknownTCP traffic detected without corresponding DNS query: 124.202.200.248
    Source: unknownTCP traffic detected without corresponding DNS query: 19.186.225.227
    Source: unknownTCP traffic detected without corresponding DNS query: 60.131.156.196
    Source: unknownTCP traffic detected without corresponding DNS query: 200.74.78.189
    Source: unknownTCP traffic detected without corresponding DNS query: 218.6.181.33
    Source: unknownTCP traffic detected without corresponding DNS query: 66.60.220.247
    Source: unknownTCP traffic detected without corresponding DNS query: 193.205.99.14
    Source: unknownTCP traffic detected without corresponding DNS query: 99.206.2.88
    Source: unknownTCP traffic detected without corresponding DNS query: 90.166.185.88
    Source: unknownTCP traffic detected without corresponding DNS query: 181.74.224.48
    Source: unknownTCP traffic detected without corresponding DNS query: 198.175.72.235
    Source: unknownTCP traffic detected without corresponding DNS query: 20.80.238.203
    Source: unknownTCP traffic detected without corresponding DNS query: 156.240.217.32
    Source: unknownTCP traffic detected without corresponding DNS query: 99.205.40.193
    Source: unknownTCP traffic detected without corresponding DNS query: 135.98.94.210
    Source: unknownTCP traffic detected without corresponding DNS query: 247.243.0.194
    Source: unknownTCP traffic detected without corresponding DNS query: 112.205.216.169
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: /tmp/IsQzUGbu7m (PID: 6235)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: classification engineClassification label: mal60.troj.lin@0/0@0/0
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/491/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/793/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/772/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/796/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/774/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/797/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/777/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/799/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/658/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/912/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/759/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/936/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/918/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/1/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/761/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/785/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/884/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/720/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/721/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/788/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/789/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/800/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/801/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/847/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6241)File opened: /proc/904/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/491/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/793/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/772/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/796/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/774/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/797/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/777/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/799/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/658/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/912/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/759/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/936/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/918/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/1/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/761/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/785/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/884/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/720/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/721/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/788/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/789/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/800/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/801/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/847/fdJump to behavior
    Source: /tmp/IsQzUGbu7m (PID: 6235)File opened: /proc/904/fdJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44060
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44884
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45824
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46700
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47530
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44562
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44600
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44628
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44660
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44696
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44734
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44764
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44800
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44838
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44880
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 48480
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46134
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46168
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46208
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46234
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46264
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46286
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46310
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46340
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46376
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46406
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 49378
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 50284
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51190
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 52036
    Source: /tmp/IsQzUGbu7m (PID: 6233)Queries kernel information via 'uname': Jump to behavior
    Source: IsQzUGbu7m, 6233.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6235.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6256.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6270.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6266.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6237.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6253.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6243.1.0000000023051e42.0000000062fa4c5b.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
    Source: IsQzUGbu7m, 6233.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6235.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6256.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6270.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6266.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6237.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6253.1.0000000023051e42.0000000062fa4c5b.rw-.sdmp, IsQzUGbu7m, 6243.1.0000000023051e42.0000000062fa4c5b.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/sparc
    Source: IsQzUGbu7m, 6233.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6235.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6256.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6270.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6266.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6237.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6253.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6243.1.00000000961148e3.0000000065c7861b.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/IsQzUGbu7mSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/IsQzUGbu7m
    Source: IsQzUGbu7m, 6233.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6235.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6256.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6270.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6266.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6237.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6253.1.00000000961148e3.0000000065c7861b.rw-.sdmp, IsQzUGbu7m, 6243.1.00000000961148e3.0000000065c7861b.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
    OS Credential Dumping
    11
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
    Non-Standard Port
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626493 Sample: IsQzUGbu7m Startdate: 14/05/2022 Architecture: LINUX Score: 60 42 156.158.51.126 airtel-tz-asTZ Tanzania United Republic of 2->42 44 119.25.73.160 ZAQJupiterTelecommunicationsCoLtdJP Japan 2->44 46 98 other IPs or domains 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Mirai 2->50 52 Uses known network protocols on non-standard ports 2->52 10 IsQzUGbu7m 2->10         started        signatures3 process4 process5 12 IsQzUGbu7m 10->12         started        14 IsQzUGbu7m 10->14         started        16 IsQzUGbu7m 10->16         started        process6 18 IsQzUGbu7m 12->18         started        20 IsQzUGbu7m 12->20         started        22 IsQzUGbu7m 14->22         started        24 IsQzUGbu7m 14->24         started        26 IsQzUGbu7m 14->26         started        process7 28 IsQzUGbu7m 18->28         started        30 IsQzUGbu7m 18->30         started        32 IsQzUGbu7m 18->32         started        34 IsQzUGbu7m 22->34         started        36 IsQzUGbu7m 22->36         started        process8 38 IsQzUGbu7m 28->38         started        40 IsQzUGbu7m 28->40         started       
    SourceDetectionScannerLabelLink
    IsQzUGbu7m51%VirustotalBrowse
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    126.210.129.153
    unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
    248.164.9.96
    unknownReserved
    unknownunknownfalse
    77.144.174.250
    unknownFrance
    15557LDCOMNETFRfalse
    32.143.225.45
    unknownUnited States
    7018ATT-INTERNET4USfalse
    66.35.8.87
    unknownUnited States
    40033RED-SPECTRUMUSfalse
    106.155.249.164
    unknownJapan2516KDDIKDDICORPORATIONJPfalse
    20.55.77.85
    unknownUnited States
    8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    75.216.184.154
    unknownUnited States
    22394CELLCOUSfalse
    115.79.190.149
    unknownViet Nam
    7552VIETEL-AS-APViettelGroupVNfalse
    42.253.2.77
    unknownChina
    4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
    34.117.135.72
    unknownUnited States
    139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
    120.226.132.1
    unknownChina
    56047CMNET-HUNAN-APChinaMobilecommunicationscorporationCNfalse
    13.175.156.143
    unknownUnited States
    7018ATT-INTERNET4USfalse