Edit tour

Linux Analysis Report
hwLFomKm8k

Overview

General Information

Sample Name:	hwLFomKm8k
Analysis ID:	635041
MD5:	038da709550f5fa2fb58077767bce04b
SHA1:	62c70c834e0a65db09099aa1d2b465244222816f
SHA256:	9e35c0b5c812027d6698b662bb771ada7c1d40cf04050f450feebcbbdbff6b9a
Tags:	32elfmips
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Sample deletes itself

Sample is packed with UPX

Deletes security-related log files

Opens /proc/net/* files useful for finding connected devices and routers

Executes the "kill" or "pkill" command typically used to terminate processes

Sample contains only a LOAD segment without any section mappings

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Deletes log files

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635041
Start date and time: 27/05/202211:33:16	2022-05-27 11:33:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hwLFomKm8k
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.spre.troj.evad.lin@0/1@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
VT rate limit hit for: hwLFomKm8k

Process Tree

system is lnxubuntu20

hwLFomKm8k (PID: 6234, Parent: 6126, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/hwLFomKm8k

hwLFomKm8k New Fork (PID: 6236, Parent: 6234)

hwLFomKm8k New Fork (PID: 6238, Parent: 6234)

hwLFomKm8k New Fork (PID: 6240, Parent: 6238)

hwLFomKm8k New Fork (PID: 6242, Parent: 6240)

sh (PID: 6242, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 6245, Parent: 6242)

rm (PID: 6245, Parent: 6242, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf

hwLFomKm8k New Fork (PID: 6254, Parent: 6240)

sh (PID: 6254, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 6256, Parent: 6254)

rm (PID: 6256, Parent: 6254, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

hwLFomKm8k New Fork (PID: 6257, Parent: 6240)

sh (PID: 6257, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 6259, Parent: 6257)

rm (PID: 6259, Parent: 6257, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

hwLFomKm8k New Fork (PID: 6260, Parent: 6240)

sh (PID: 6260, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 6262, Parent: 6260)

rm (PID: 6262, Parent: 6260, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

hwLFomKm8k New Fork (PID: 6263, Parent: 6240)

sh (PID: 6263, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 6265, Parent: 6263)

pkill (PID: 6265, Parent: 6263, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

hwLFomKm8k New Fork (PID: 6270, Parent: 6240)

sh (PID: 6270, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 6272, Parent: 6270)

pkill (PID: 6272, Parent: 6270, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

hwLFomKm8k New Fork (PID: 6273, Parent: 6240)

sh (PID: 6273, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 6275, Parent: 6273)

pkill (PID: 6275, Parent: 6273, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

hwLFomKm8k New Fork (PID: 6278, Parent: 6240)

sh (PID: 6278, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -j DROP"

sh New Fork (PID: 6280, Parent: 6278)

iptables (PID: 6280, Parent: 6278, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -j DROP

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hwLFomKm8k	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x99a0:$s1: PROT_EXEC\|PROT_WRITE failed. 0x9a0f:$s2: $Id: UPX 0x99c0:$s3: $Info: This file is packed with the UPX executable packer

Memory Dumps

Source	Rule	Description	Author
6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: /usr/bin/pkill (PID: 6265)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6272)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/hwLFomKm8k (PID: 6234)

Opens: /proc/net/route

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: hwLFomKm8k

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: hwLFomKm8k, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal64.spre.troj.evad.lin@0/1@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /bin/sh (PID: 6265)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 6272)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 6275)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior

Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6227/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6227/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6240/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6240/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6244/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6244/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6246/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2/cmdline	Jump to behavior

Source: /tmp/hwLFomKm8k (PID: 6242)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6254)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6257)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6260)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6263)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6270)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6273)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6278)	Shell command executed: sh -c "iptables -A INPUT -j DROP"	Jump to behavior

Source: /bin/sh (PID: 6245)	Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 6256)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 6259)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 6262)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /usr/bin/rm (PID: 6245)

File: /tmp/hwLFomKm8k

Jump to behavior

Malware Analysis System Evasion

Deletes security-related log files

Source: /usr/bin/rm (PID: 6256)

Truncated file: /var/log/wtmp

Jump to behavior

Source: /usr/bin/pkill (PID: 6265)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6272)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /usr/bin/rm (PID: 6256)

Truncated file: /var/log/wtmp

Jump to behavior

Source: /tmp/hwLFomKm8k (PID: 6234)

Queries kernel information via 'uname':

Jump to behavior

Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp	Binary or memory string: 2U%V!/etc/qemu-binfmt/mips
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: R%V/tmp/qemu-open.WSG3Jy\
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: \|x86_64/usr/bin/qemu-mips/tmp/hwLFomKm8kSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hwLFomKm8k
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: /tmp/qemu-open.WSG3Jy

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	1 Disable or Modify Tools	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Indicator Removal on Host	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	hwLFomKm8k	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.245.210.119	unknown	United States	36352	AS-COLOCROSSINGUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.245.210.119	SecuriteInfo.com.Linux.BackDoor.Fgt.1690.23931.24828	Get hash	malicious	Browse
	t8Y6OUGk1U	Get hash	malicious	Browse
	MbmEqqlMmN	Get hash	malicious	Browse
	3pMA5H3Gdk	Get hash	malicious	Browse
	EYJ1TTn7Xf	Get hash	malicious	Browse
	HPQrQ4BO0y	Get hash	malicious	Browse
	EBTAT8oXJM	Get hash	malicious	Browse
	XFcXZ2Fj66	Get hash	malicious	Browse
	cCz8mjPli3	Get hash	malicious	Browse
	arm	Get hash	malicious	Browse
	cHZ80FbDOq	Get hash	malicious	Browse
	IOPDa5e54T	Get hash	malicious	Browse
	9OmQkqNPaU	Get hash	malicious	Browse
	rHM0FWUct8	Get hash	malicious	Browse
	qnnDnjO5K9	Get hash	malicious	Browse
	Mvu24bfTUj	Get hash	malicious	Browse
	Y4kKw80ixy	Get hash	malicious	Browse
	b2Z4SSZ4NX	Get hash	malicious	Browse
	uCr7QCaNQ2	Get hash	malicious	Browse
	BDK.mips-20220415-0546	Get hash	malicious	Browse
109.202.202.202	SecuriteInfo.com.Linux.Siggen.4218.7289.18978	Get hash	malicious	Browse
	OyDV9DDAAE	Get hash	malicious	Browse
	uname	Get hash	malicious	Browse
	mirai.arm7-20220526-1650	Get hash	malicious	Browse
	RTH4NAnBg2	Get hash	malicious	Browse
	Fv2WeEAnbk	Get hash	malicious	Browse
	http://46.19.137.50/miori.x86	Get hash	malicious	Browse
	jkXGgsaFTL	Get hash	malicious	Browse
	ftp://anonymous:anonymous@2.56.59.196/Saitama1.sh	Get hash	malicious	Browse
	SecuriteInfo.com.Linux.Siggen.4218.17791.2905	Get hash	malicious	Browse
	TVdjrPAhEt	Get hash	malicious	Browse
	CFvB9XN50Q	Get hash	malicious	Browse
	jFtDvdjClP	Get hash	malicious	Browse
	0CLCchpqGp	Get hash	malicious	Browse
	https://storage.googleapis.com/r1ndv3jddfjo0l.appspot.com/dwld/file/1/s/fE2tN5OLFU7a3.html?h=164195503572296102	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Linux.Agent.24016.15292	Get hash	malicious	Browse
	13ptkVE2Os	Get hash	malicious	Browse
	d0sIb2rENC.elf	Get hash	malicious	Browse
	nginx-security-patch	Get hash	malicious	Browse
	SecuriteInfo.com.Linux.Mirai.4306.7144.6153	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	OxjB95ogxT	Get hash	malicious	Browse	104.170.167.245
	MV PEDHOULAS TRADER.exe	Get hash	malicious	Browse	198.12.66.100
	Pxcwqx.exe	Get hash	malicious	Browse	198.12.66.100
	3dxS85LHSh	Get hash	malicious	Browse	192.210.142.180
	REMITTANCE FOR MV HTGF00076676788.exe	Get hash	malicious	Browse	198.12.66.100
	https://sleepy-haslett.192-3-245-183.plesk.page/	Get hash	malicious	Browse	192.3.245.183
	PAYMENT ADVICE.xlsx	Get hash	malicious	Browse	172.245.119.75
	kacoPlvedt	Get hash	malicious	Browse	107.173.85.84
	sora.arm	Get hash	malicious	Browse	104.168.61.47
	Colonial Chemical Order specification.xlsx	Get hash	malicious	Browse	107.172.76.179
	DRAFT OF SHIPMENT DOCUMENTS.xlsx	Get hash	malicious	Browse	172.245.119.75
	Offer to Purchase and Fica.xlsx	Get hash	malicious	Browse	198.12.84.30
	PO#15032016-A001..xlsx	Get hash	malicious	Browse	198.12.89.141
	Product List.exe	Get hash	malicious	Browse	23.94.54.224
	Quote Request the prdouct pirce and PI for Coxout 8-3-2022 Life and Challenge.xlsx	Get hash	malicious	Browse	172.245.120.39
	102.xlsx	Get hash	malicious	Browse	192.3.245.192
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	192.210.240.45
	2235001-MAY 2022.xlsx	Get hash	malicious	Browse	172.245.119.75
	400.xlsx	Get hash	malicious	Browse	198.23.145.147
	Quote Enquiry for Cable Tray.xlsx	Get hash	malicious	Browse	172.245.120.39

Process:	/tmp/hwLFomKm8k
File Type:	ASCII text
Category:	dropped
Size (bytes):	230
Entropy (8bit):	3.709552666863289
Encrypted:	false
SSDEEP:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
MD5:	2E667F43AE18CD1FE3C108641708A82C
SHA1:	12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
SHA-256:	6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
SHA-512:	D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
Malicious:	false
Reputation:	high, very likely benign file
Preview:	Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.953579492955063
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	hwLFomKm8k
File size:	49692
MD5:	038da709550f5fa2fb58077767bce04b
SHA1:	62c70c834e0a65db09099aa1d2b465244222816f
SHA256:	9e35c0b5c812027d6698b662bb771ada7c1d40cf04050f450feebcbbdbff6b9a
SHA512:	b31807c00059ed1fc06a0a52cce5173f38e6e58d2294da48ef1a2c391231ad1e6a855c65caafd1751f458062b18fb2ae818bd705061d20721576a9fdbc350763
SSDEEP:	768:fQI83S0syxxgtCD66K6qOOONkpm1xRrBeuLJgGlzDpbuR1JruR+bDGnLFTLBw:fD8v9wtsK6qOOONkpm1xZVJuEAnQs
TLSH:	A623F1E9100838C6CE87FDBE62E453961B3D19F2666BDD497846EF89DC060A13B83DC4
File Content Preview:	.ELF...........................4.........4. ...(.......................4...4...............\|.F.\|.F.\|.................P.cUPX!.d.....................`.......?.E.h4...@b..) ..]..0..a....\|.. G.......o#?.Z/=..7N.u.......IM.3.Ms....(.'x...%=5..\.....+.....R....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x108df0
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xa134	0xa134	4.1546	0x5	R E	0x10000
LOAD	0xc37c	0x46c37c	0x46c37c	0x0	0x0	0.0000	0x6	RW	0x10000

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 11:34:04.145555973 CEST	40610	17372	192.168.2.23	172.245.210.119
May 27, 2022 11:34:04.151150942 CEST	42836	443	192.168.2.23	91.189.91.43
May 27, 2022 11:34:04.288422108 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:34:04.288506985 CEST	40610	17372	192.168.2.23	172.245.210.119
May 27, 2022 11:34:04.288992882 CEST	40610	17372	192.168.2.23	172.245.210.119
May 27, 2022 11:34:04.431597948 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:34:04.920835972 CEST	42516	80	192.168.2.23	109.202.202.202
May 27, 2022 11:34:18.486944914 CEST	43928	443	192.168.2.23	91.189.91.42
May 27, 2022 11:34:19.386526108 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:34:19.386611938 CEST	40610	17372	192.168.2.23	172.245.210.119
May 27, 2022 11:34:19.529313087 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:34:19.529388905 CEST	40610	17372	192.168.2.23	172.245.210.119
May 27, 2022 11:34:30.774662018 CEST	42836	443	192.168.2.23	91.189.91.43
May 27, 2022 11:34:34.870645046 CEST	42516	80	192.168.2.23	109.202.202.202
May 27, 2022 11:34:59.446032047 CEST	43928	443	192.168.2.23	91.189.91.42
May 27, 2022 11:35:19.390805960 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:19.799776077 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:20.208633900 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:21.025789022 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:22.661684036 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:25.929580927 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:32.473587990 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:35:45.577327013 CEST	17372	40610	172.245.210.119	192.168.2.23
May 27, 2022 11:36:11.752825975 CEST	17372	40610	172.245.210.119	192.168.2.23

System Behavior

Analysis Process: hwLFomKm8k PID: 6234, Parent PID: 6126

General

Start time:	11:34:02
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	/tmp/hwLFomKm8k
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:02
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:02
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:03
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:03
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:03
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:03
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:03
Start date:	27/05/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	11:34:13
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:13
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /var/log/wtmp"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:13
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:13
Start date:	27/05/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /var/log/wtmp
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	11:34:13
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:13
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /tmp/*"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /tmp/*
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	11:34:14
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /bin/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /bin/netstat
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	11:34:14
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "pkill -9 busybox"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:14
Start date:	27/05/2022
Path:	/usr/bin/pkill
Arguments:	pkill -9 busybox
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time:	11:34:16
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:16
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "pkill -9 perl"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:16
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:16
Start date:	27/05/2022
Path:	/usr/bin/pkill
Arguments:	pkill -9 perl
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time:	11:34:18
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:18
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "pkill -9 python"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:18
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:18
Start date:	27/05/2022
Path:	/usr/bin/pkill
Arguments:	pkill -9 python
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time:	11:34:21
Start date:	27/05/2022
Path:	/tmp/hwLFomKm8k
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	11:34:21
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	sh -c "iptables -A INPUT -j DROP"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:21
Start date:	27/05/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	11:34:21
Start date:	27/05/2022
Path:	/usr/sbin/iptables
Arguments:	iptables -A INPUT -j DROP
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report hwLFomKm8k

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.WSG3Jy (deleted)

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: hwLFomKm8k PID: 6234, Parent PID: 6126

General

Chronological Activities

Analysis Process: hwLFomKm8k PID: 6236, Parent PID: 6234

General

Chronological Activities

Analysis Process: hwLFomKm8k PID: 6238, Parent PID: 6234

General

Chronological Activities

Analysis Process: hwLFomKm8k PID: 6240, Parent PID: 6238

General

Chronological Activities

Analysis Process: hwLFomKm8k PID: 6242, Parent PID: 6240

General

Chronological Activities

Analysis Process: sh PID: 6242, Parent PID: 6240

General

Chronological Activities

Linux Analysis Report
hwLFomKm8k