Edit tour

Linux Analysis Report
hwLFomKm8k

Overview

General Information

Sample Name:	hwLFomKm8k
Analysis ID:	635041
MD5:	038da709550f5fa2fb58077767bce04b
SHA1:	62c70c834e0a65db09099aa1d2b465244222816f
SHA256:	9e35c0b5c812027d6698b662bb771ada7c1d40cf04050f450feebcbbdbff6b9a
Tags:	32elfmips
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Sample deletes itself

Sample is packed with UPX

Deletes security-related log files

Opens /proc/net/* files useful for finding connected devices and routers

Executes the "kill" or "pkill" command typically used to terminate processes

Sample contains only a LOAD segment without any section mappings

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Deletes log files

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635041
Start date and time: 27/05/202211:33:16	2022-05-27 11:33:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hwLFomKm8k
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.spre.troj.evad.lin@0/1@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
VT rate limit hit for: hwLFomKm8k

Process Tree

system is lnxubuntu20

hwLFomKm8k (PID: 6234, Parent: 6126, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/hwLFomKm8k

hwLFomKm8k New Fork (PID: 6236, Parent: 6234)

hwLFomKm8k New Fork (PID: 6238, Parent: 6234)

hwLFomKm8k New Fork (PID: 6240, Parent: 6238)

hwLFomKm8k New Fork (PID: 6242, Parent: 6240)

sh (PID: 6242, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 6245, Parent: 6242)

rm (PID: 6245, Parent: 6242, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf

hwLFomKm8k New Fork (PID: 6254, Parent: 6240)

sh (PID: 6254, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 6256, Parent: 6254)

rm (PID: 6256, Parent: 6254, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

hwLFomKm8k New Fork (PID: 6257, Parent: 6240)

sh (PID: 6257, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 6259, Parent: 6257)

rm (PID: 6259, Parent: 6257, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

hwLFomKm8k New Fork (PID: 6260, Parent: 6240)

sh (PID: 6260, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 6262, Parent: 6260)

rm (PID: 6262, Parent: 6260, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

hwLFomKm8k New Fork (PID: 6263, Parent: 6240)

sh (PID: 6263, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 6265, Parent: 6263)

pkill (PID: 6265, Parent: 6263, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

hwLFomKm8k New Fork (PID: 6270, Parent: 6240)

sh (PID: 6270, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 6272, Parent: 6270)

pkill (PID: 6272, Parent: 6270, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

hwLFomKm8k New Fork (PID: 6273, Parent: 6240)

sh (PID: 6273, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 6275, Parent: 6273)

pkill (PID: 6275, Parent: 6273, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

hwLFomKm8k New Fork (PID: 6278, Parent: 6240)

sh (PID: 6278, Parent: 6240, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -j DROP"

sh New Fork (PID: 6280, Parent: 6278)

iptables (PID: 6280, Parent: 6278, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -j DROP

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hwLFomKm8k	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x99a0:$s1: PROT_EXEC\|PROT_WRITE failed. 0x9a0f:$s2: $Id: UPX 0x99c0:$s3: $Info: This file is packed with the UPX executable packer

Memory Dumps

Source	Rule	Description	Author
6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: /usr/bin/pkill (PID: 6265)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6272)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/hwLFomKm8k (PID: 6234)

Opens: /proc/net/route

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: hwLFomKm8k

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: hwLFomKm8k, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal64.spre.troj.evad.lin@0/1@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /bin/sh (PID: 6265)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 6272)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 6275)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior

Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6227/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6227/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6240/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6240/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6244/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6244/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6246/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/6246/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6265)	File opened: /proc/2/cmdline	Jump to behavior

Source: /tmp/hwLFomKm8k (PID: 6242)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6254)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6257)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6260)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6263)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6270)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6273)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6278)	Shell command executed: sh -c "iptables -A INPUT -j DROP"	Jump to behavior

Source: /bin/sh (PID: 6245)	Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 6256)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 6259)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 6262)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /usr/bin/rm (PID: 6245)

File: /tmp/hwLFomKm8k

Jump to behavior

Malware Analysis System Evasion

Deletes security-related log files

Source: /usr/bin/rm (PID: 6256)

Truncated file: /var/log/wtmp

Jump to behavior

Source: /usr/bin/pkill (PID: 6265)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6272)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6275)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /usr/bin/rm (PID: 6256)

Truncated file: /var/log/wtmp

Jump to behavior

Source: /tmp/hwLFomKm8k (PID: 6234)

Queries kernel information via 'uname':

Jump to behavior

Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp	Binary or memory string: 2U%V!/etc/qemu-binfmt/mips
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: R%V/tmp/qemu-open.WSG3Jy\
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: \|x86_64/usr/bin/qemu-mips/tmp/hwLFomKm8kSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hwLFomKm8k
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp	Binary or memory string: /tmp/qemu-open.WSG3Jy

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	1 Disable or Modify Tools	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Indicator Removal on Host	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report
hwLFomKm8k

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report hwLFomKm8k

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Linux Analysis Report
hwLFomKm8k