Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
hwLFomKm8k

Overview

General Information

Sample Name:hwLFomKm8k
Analysis ID:635041
MD5:038da709550f5fa2fb58077767bce04b
SHA1:62c70c834e0a65db09099aa1d2b465244222816f
SHA256:9e35c0b5c812027d6698b662bb771ada7c1d40cf04050f450feebcbbdbff6b9a
Tags:32elfmips
Infos:

Detection

Mirai
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Opens /proc/net/* files useful for finding connected devices and routers
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:635041
Start date and time: 27/05/202211:33:162022-05-27 11:33:16 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 21s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:hwLFomKm8k
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal64.spre.troj.evad.lin@0/1@0/0
  • Connection to analysis system has been lost, crash info: Unknown
  • VT rate limit hit for: hwLFomKm8k
  • system is lnxubuntu20
  • hwLFomKm8k (PID: 6234, Parent: 6126, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/hwLFomKm8k
    • hwLFomKm8k New Fork (PID: 6238, Parent: 6234)
      • hwLFomKm8k New Fork (PID: 6240, Parent: 6238)
        • sh (PID: 6242, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
          • sh New Fork (PID: 6245, Parent: 6242)
          • rm (PID: 6245, Parent: 6242, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
        • sh (PID: 6254, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"
          • sh New Fork (PID: 6256, Parent: 6254)
          • rm (PID: 6256, Parent: 6254, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp
        • sh (PID: 6257, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"
          • sh New Fork (PID: 6259, Parent: 6257)
          • rm (PID: 6259, Parent: 6257, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*
        • sh (PID: 6260, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"
          • sh New Fork (PID: 6262, Parent: 6260)
          • rm (PID: 6262, Parent: 6260, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat
        • sh (PID: 6263, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"
          • sh New Fork (PID: 6265, Parent: 6263)
          • pkill (PID: 6265, Parent: 6263, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox
        • sh (PID: 6270, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"
          • sh New Fork (PID: 6272, Parent: 6270)
          • pkill (PID: 6272, Parent: 6270, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl
        • sh (PID: 6273, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"
          • sh New Fork (PID: 6275, Parent: 6273)
          • pkill (PID: 6275, Parent: 6273, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python
        • sh (PID: 6278, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -j DROP"
          • sh New Fork (PID: 6280, Parent: 6278)
          • iptables (PID: 6280, Parent: 6278, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -j DROP
  • cleanup
SourceRuleDescriptionAuthorStrings
hwLFomKm8kSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x99a0:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x9a0f:$s2: $Id: UPX
  • 0x99c0:$s3: $Info: This file is packed with the UPX executable packer
SourceRuleDescriptionAuthorStrings
6238.1.0000000087779f1c.0000000053d66254.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    6236.1.0000000087779f1c.0000000053d66254.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6234.1.0000000087779f1c.0000000053d66254.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results
        Source: /usr/bin/pkill (PID: 6265)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6272)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6275)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

        Spreading

        barindex
        Source: /tmp/hwLFomKm8k (PID: 6234)Opens: /proc/net/routeJump to behavior
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: hwLFomKm8kString found in binary or memory: http://upx.sf.net
        Source: LOAD without section mappingsProgram segment: 0x100000
        Source: hwLFomKm8k, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
        Source: classification engineClassification label: mal64.spre.troj.evad.lin@0/1@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /bin/sh (PID: 6265)Pkill executable: /usr/bin/pkill -> pkill -9 busyboxJump to behavior
        Source: /bin/sh (PID: 6272)Pkill executable: /usr/bin/pkill -> pkill -9 perlJump to behavior
        Source: /bin/sh (PID: 6275)Pkill executable: /usr/bin/pkill -> pkill -9 pythonJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1582/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1582/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/3088/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/3088/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/230/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/230/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/110/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/110/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/231/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/231/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/111/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/111/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/232/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/232/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1579/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1579/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/112/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/112/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/233/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/233/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1699/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1699/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/113/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/113/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/234/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/234/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1335/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1335/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1698/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1698/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/114/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/114/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/235/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/235/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1334/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1334/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1576/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1576/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/2302/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/2302/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/115/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/115/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/236/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/236/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/116/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/116/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/237/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/237/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/117/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/117/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/118/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/118/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/910/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/910/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6227/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6227/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/119/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/119/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/912/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/912/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/10/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/10/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/2307/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/2307/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/11/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/11/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/918/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/918/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/12/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/12/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6240/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6240/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/13/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/13/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/14/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/14/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/15/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/15/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/16/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/16/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6244/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6244/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/17/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/17/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/18/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/18/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6246/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/6246/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1594/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1594/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/120/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/120/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/121/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/121/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1349/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1349/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/1/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/122/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/122/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/243/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/243/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/123/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/123/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/2/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6265)File opened: /proc/2/cmdlineJump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6242)Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6254)Shell command executed: sh -c "rm -rf /var/log/wtmp"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6257)Shell command executed: sh -c "rm -rf /tmp/*"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6260)Shell command executed: sh -c "rm -rf /bin/netstat"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6263)Shell command executed: sh -c "pkill -9 busybox"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6270)Shell command executed: sh -c "pkill -9 perl"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6273)Shell command executed: sh -c "pkill -9 python"Jump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6278)Shell command executed: sh -c "iptables -A INPUT -j DROP"Jump to behavior
        Source: /bin/sh (PID: 6245)Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnafJump to behavior
        Source: /bin/sh (PID: 6256)Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmpJump to behavior
        Source: /bin/sh (PID: 6259)Rm executable: /usr/bin/rm -> rm -rf /tmp/*Jump to behavior
        Source: /bin/sh (PID: 6262)Rm executable: /usr/bin/rm -> rm -rf /bin/netstatJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: /usr/bin/rm (PID: 6245)File: /tmp/hwLFomKm8kJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: /usr/bin/rm (PID: 6256)Truncated file: /var/log/wtmpJump to behavior
        Source: /usr/bin/pkill (PID: 6265)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6272)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6275)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/rm (PID: 6256)Truncated file: /var/log/wtmpJump to behavior
        Source: /tmp/hwLFomKm8k (PID: 6234)Queries kernel information via 'uname': Jump to behavior
        Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
        Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
        Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmpBinary or memory string: 2U%V!/etc/qemu-binfmt/mips
        Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmpBinary or memory string: R%V/tmp/qemu-open.WSG3Jy\
        Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmpBinary or memory string: |x86_64/usr/bin/qemu-mips/tmp/hwLFomKm8kSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hwLFomKm8k
        Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmpBinary or memory string: /tmp/qemu-open.WSG3Jy

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Scripting
        Path InterceptionPath Interception1
        Disable or Modify Tools
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Scripting
        LSASS Memory1
        System Information Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
        Indicator Removal on Host
        Security Account Manager1
        Remote System Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Obfuscated Files or Information
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
        File Deletion
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635041 Sample: hwLFomKm8k Startdate: 27/05/2022 Architecture: LINUX Score: 64 42 109.202.202.202, 80 INIT7CH Switzerland 2->42 44 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->44 46 2 other IPs or domains 2->46 48 Yara detected Mirai 2->48 50 Sample is packed with UPX 2->50 10 hwLFomKm8k 2->10         started        signatures3 process4 signatures5 52 Opens /proc/net/* files useful for finding connected devices and routers 10->52 13 hwLFomKm8k 10->13         started        15 hwLFomKm8k 10->15         started        process6 process7 17 hwLFomKm8k 13->17         started        process8 19 hwLFomKm8k sh 17->19         started        21 hwLFomKm8k sh 17->21         started        23 hwLFomKm8k sh