Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
mNMOQlPshG

Overview

General Information

Sample Name:mNMOQlPshG
Analysis ID:635046
MD5:376ad57cf2b182915c6406fc09268968
SHA1:21217f2f50c79b3dea0a6f0219644d21d3dfc557
SHA256:6c47ca46c555299c33e44f0db3a3efc886b2d2aaa9a8a865a236d3a80a36b8aa
Tags:32armelf
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Opens /proc/net/* files useful for finding connected devices and routers
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:635046
Start date and time: 27/05/202211:39:282022-05-27 11:39:28 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 49s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:mNMOQlPshG
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.spre.troj.evad.lin@0/0@0/0
  • Connection to analysis system has been lost, crash info: Unknown
  • system is lnxubuntu20
  • mNMOQlPshG (PID: 6232, Parent: 6133, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/mNMOQlPshG
    • mNMOQlPshG New Fork (PID: 6237, Parent: 6232)
      • mNMOQlPshG New Fork (PID: 6239, Parent: 6237)
        • sh (PID: 6243, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
          • sh New Fork (PID: 6245, Parent: 6243)
          • rm (PID: 6245, Parent: 6243, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/mNMOQlPshG /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
        • sh (PID: 6253, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"
          • sh New Fork (PID: 6255, Parent: 6253)
          • rm (PID: 6255, Parent: 6253, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp
        • sh (PID: 6256, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"
          • sh New Fork (PID: 6262, Parent: 6256)
          • rm (PID: 6262, Parent: 6256, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*
        • sh (PID: 6263, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"
          • sh New Fork (PID: 6265, Parent: 6263)
          • rm (PID: 6265, Parent: 6263, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat
        • sh (PID: 6266, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"
          • sh New Fork (PID: 6268, Parent: 6266)
          • pkill (PID: 6268, Parent: 6266, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox
        • sh (PID: 6269, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"
          • sh New Fork (PID: 6271, Parent: 6269)
          • pkill (PID: 6271, Parent: 6269, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl
        • sh (PID: 6274, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"
          • sh New Fork (PID: 6276, Parent: 6274)
          • pkill (PID: 6276, Parent: 6274, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python
        • sh (PID: 6277, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -j DROP"
          • sh New Fork (PID: 6279, Parent: 6277)
          • iptables (PID: 6279, Parent: 6277, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -j DROP
  • cleanup
SourceRuleDescriptionAuthorStrings
mNMOQlPshGSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x9488:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x94f7:$s2: $Id: UPX
  • 0x94a8:$s3: $Info: This file is packed with the UPX executable packer
SourceRuleDescriptionAuthorStrings
6232.1.00000000c2dc0f68.0000000061964638.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    6237.1.00000000c2dc0f68.0000000061964638.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6235.1.00000000c2dc0f68.0000000061964638.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: mNMOQlPshGVirustotal: Detection: 20%Perma Link
        Source: /usr/bin/pkill (PID: 6268)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6271)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6276)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

        Spreading

        barindex
        Source: /tmp/mNMOQlPshG (PID: 6232)Opens: /proc/net/route
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: mNMOQlPshGString found in binary or memory: http://upx.sf.net
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: mNMOQlPshG, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
        Source: classification engineClassification label: mal72.spre.troj.evad.lin@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /bin/sh (PID: 6268)Pkill executable: /usr/bin/pkill -> pkill -9 busybox
        Source: /bin/sh (PID: 6271)Pkill executable: /usr/bin/pkill -> pkill -9 perl
        Source: /bin/sh (PID: 6276)Pkill executable: /usr/bin/pkill -> pkill -9 python
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1582/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1582/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/3088/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/3088/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/230/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/230/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/110/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/110/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/231/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/231/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/111/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/111/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/232/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/232/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1579/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1579/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/112/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/112/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/233/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/233/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1699/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1699/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/113/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/113/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/234/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/234/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1335/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1335/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1698/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1698/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/114/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/114/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/235/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/235/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1334/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1334/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1576/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1576/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/2302/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/2302/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/115/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/115/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/236/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/236/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/116/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/116/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/237/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/237/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/117/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/117/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/118/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/118/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/910/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/910/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/119/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/119/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/912/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/912/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/10/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/10/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/2307/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/2307/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/11/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/11/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/918/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/918/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/12/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/12/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/13/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/13/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/14/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/14/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/15/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/15/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/16/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/16/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/17/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/17/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/18/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/18/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1594/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1594/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/120/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/120/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/121/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/121/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1349/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1349/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/1/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/122/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/122/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/243/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/243/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/123/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/123/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/2/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/2/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/124/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/124/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/3/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/3/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/4/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/4/cmdline
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/125/status
        Source: /usr/bin/pkill (PID: 6276)File opened: /proc/125/cmdline
        Source: /tmp/mNMOQlPshG (PID: 6243)Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
        Source: /tmp/mNMOQlPshG (PID: 6253)Shell command executed: sh -c "rm -rf /var/log/wtmp"
        Source: /tmp/mNMOQlPshG (PID: 6256)Shell command executed: sh -c "rm -rf /tmp/*"
        Source: /tmp/mNMOQlPshG (PID: 6263)Shell command executed: sh -c "rm -rf /bin/netstat"
        Source: /tmp/mNMOQlPshG (PID: 6266)Shell command executed: sh -c "pkill -9 busybox"
        Source: /tmp/mNMOQlPshG (PID: 6269)Shell command executed: sh -c "pkill -9 perl"
        Source: /tmp/mNMOQlPshG (PID: 6274)Shell command executed: sh -c "pkill -9 python"
        Source: /tmp/mNMOQlPshG (PID: 6277)Shell command executed: sh -c "iptables -A INPUT -j DROP"
        Source: /bin/sh (PID: 6245)Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/mNMOQlPshG /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
        Source: /bin/sh (PID: 6255)Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
        Source: /bin/sh (PID: 6262)Rm executable: /usr/bin/rm -> rm -rf /tmp/*
        Source: /bin/sh (PID: 6265)Rm executable: /usr/bin/rm -> rm -rf /bin/netstat

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: /usr/bin/rm (PID: 6245)File: /tmp/mNMOQlPshGJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: /usr/bin/rm (PID: 6255)Truncated file: /var/log/wtmpJump to behavior
        Source: /usr/bin/pkill (PID: 6268)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6271)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6276)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/rm (PID: 6255)Truncated file: /var/log/wtmpJump to behavior
        Source: /tmp/mNMOQlPshG (PID: 6232)Queries kernel information via 'uname':
        Source: mNMOQlPshG, 6232.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6235.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6237.1.00000000a35de681.00000000f61a084d.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
        Source: mNMOQlPshG, 6232.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6235.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6237.1.00000000c609cab4.0000000064147583.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/mNMOQlPshGSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mNMOQlPshG
        Source: mNMOQlPshG, 6232.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6235.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6237.1.00000000a35de681.00000000f61a084d.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: mNMOQlPshG, 6232.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6235.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6237.1.00000000c609cab4.0000000064147583.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 6232.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6237.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6235.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 6232.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6237.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6235.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Scripting
        Path InterceptionPath Interception1
        Disable or Modify Tools
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Scripting
        LSASS Memory1
        System Information Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
        Indicator Removal on Host
        Security Account Manager1
        Remote System Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Obfuscated Files or Information
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
        File Deletion
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635046 Sample: mNMOQlPshG Startdate: 27/05/2022 Architecture: LINUX Score: 72 42 109.202.202.202, 80 INIT7CH Switzerland 2->42 44 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->44 46 2 other IPs or domains 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Mirai 2->50 52 Sample is packed with UPX 2->52 10 mNMOQlPshG 2->10         started        signatures3 process4 signatures5 54 Opens /proc/net/* files useful for finding connected devices and routers 10->54 13 mNMOQlPshG 10->13         started        15 mNMOQlPshG 10->15         started        process6 process7 17 mNMOQlPshG 13->17         started        process8 19 mNMOQlPshG sh 17->19         started        21 mNMOQlPshG sh 17->21         started        23 mNMOQlPshG sh 17->23         started        25 5 other processes 17->25 process9 27 sh rm 19->27         started        30 sh rm 21->30         started        32 sh rm 23->32         started        34 sh rm 25->34         started        36 sh pkill 25->36         started        38 sh pkill 25->38         started        40 2 other processes 25->40 signatures10 56 Sample deletes itself 27->56 58 Deletes security-related log files 30->58
        SourceDetectionScannerLabelLink
        mNMOQlPshG20%VirustotalBrowse
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netmNMOQlPshGfalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          172.245.210.119
          unknownUnited States
          36352AS-COLOCROSSINGUSfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          91.189.91.43
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          No context
          No context
          No context
          No context
          No context
          No created / dropped files found
          File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
          Entropy (8bit):7.977681148888247
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:mNMOQlPshG
          File size:49584
          MD5:376ad57cf2b182915c6406fc09268968
          SHA1:21217f2f50c79b3dea0a6f0219644d21d3dfc557
          SHA256:6c47ca46c555299c33e44f0db3a3efc886b2d2aaa9a8a865a236d3a80a36b8aa
          SHA512:c05495c16b109aed814c73054582194b201a93c0c9f9893d3b4572e4993eee4f46b11f325ef1dd27d878eb9c83fc33bbd8e93db92fe8ce4b778162f164a30055
          SSDEEP:1536:c9Afe4Si20ChlEsk0K4FdP9Y6zYm5ZGG1p:7feb7k0rf1NEm6q
          TLSH:822302816BC394ACCF44D4BFC97D904DF73F95988EE9DD502438D7B0279202996E42E5
          File Content Preview:.ELF...a..........(.........4...........4. ...(.....................g...g................(...(...(..................Q.td............................t.6.UPX!........m[..m[......S..........?.E.h;.}...^..........f13.Av4.jq.....un.V..j.$..g.."...K..E.1..:.i.R

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:ARM
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:ARM - ABI
          ABI Version:0
          Entry Point Address:0x109b8
          Flags:0x202
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:3
          Section Header Offset:0
          Section Header Size:40
          Number of Section Headers:0
          Header String Table Index:0
          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x80000x80000x9b670x9b674.00250x5R E0x8000
          LOAD0x28c40x328c40x328c40x00x00.00000x6RW 0x8000
          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
          TimestampSource PortDest PortSource IPDest IP
          May 27, 2022 11:40:17.747812033 CEST42836443192.168.2.2391.189.91.43
          May 27, 2022 11:40:18.259733915 CEST4251680192.168.2.23109.202.202.202
          May 27, 2022 11:40:19.078557968 CEST4061017372192.168.2.23172.245.210.119
          May 27, 2022 11:40:19.221335888 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:40:19.221436024 CEST4061017372192.168.2.23172.245.210.119
          May 27, 2022 11:40:20.084465027 CEST4061017372192.168.2.23172.245.210.119
          May 27, 2022 11:40:20.227571011 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:40:20.228106022 CEST4061017372192.168.2.23172.245.210.119
          May 27, 2022 11:40:20.229295015 CEST4061017372192.168.2.23172.245.210.119
          May 27, 2022 11:40:20.371939898 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:40:32.851219893 CEST43928443192.168.2.2391.189.91.42
          May 27, 2022 11:40:45.139053106 CEST42836443192.168.2.2391.189.91.43
          May 27, 2022 11:40:49.234911919 CEST4251680192.168.2.23109.202.202.202
          May 27, 2022 11:41:13.810270071 CEST43928443192.168.2.2391.189.91.42
          May 27, 2022 11:41:19.421430111 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:19.837929964 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:20.270889997 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:21.136964083 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:22.866996050 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:26.330895901 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:33.250652075 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:41:47.106523991 CEST1737240610172.245.210.119192.168.2.23
          May 27, 2022 11:42:14.817894936 CEST1737240610172.245.210.119192.168.2.23

          System Behavior

          Start time:11:40:17
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:/tmp/mNMOQlPshG
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:17
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:17
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:17
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:19
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:19
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:19
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:19
          Start date:27/05/2022
          Path:/usr/bin/rm
          Arguments:rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/mNMOQlPshG /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
          File size:72056 bytes
          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b
          Start time:11:40:28
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "rm -rf /var/log/wtmp"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/usr/bin/rm
          Arguments:rm -rf /var/log/wtmp
          File size:72056 bytes
          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b
          Start time:11:40:28
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "rm -rf /tmp/*"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/usr/bin/rm
          Arguments:rm -rf /tmp/*
          File size:72056 bytes
          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b
          Start time:11:40:28
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "rm -rf /bin/netstat"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/usr/bin/rm
          Arguments:rm -rf /bin/netstat
          File size:72056 bytes
          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b
          Start time:11:40:28
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "pkill -9 busybox"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:28
          Start date:27/05/2022
          Path:/usr/bin/pkill
          Arguments:pkill -9 busybox
          File size:30968 bytes
          MD5 hash:fa96a75a08109d8842e4865b2907d51f
          Start time:11:40:30
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:30
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "pkill -9 perl"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:30
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:30
          Start date:27/05/2022
          Path:/usr/bin/pkill
          Arguments:pkill -9 perl
          File size:30968 bytes
          MD5 hash:fa96a75a08109d8842e4865b2907d51f
          Start time:11:40:34
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:34
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "pkill -9 python"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:34
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:34
          Start date:27/05/2022
          Path:/usr/bin/pkill
          Arguments:pkill -9 python
          File size:30968 bytes
          MD5 hash:fa96a75a08109d8842e4865b2907d51f
          Start time:11:40:36
          Start date:27/05/2022
          Path:/tmp/mNMOQlPshG
          Arguments:n/a
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1
          Start time:11:40:36
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:sh -c "iptables -A INPUT -j DROP"
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:36
          Start date:27/05/2022
          Path:/bin/sh
          Arguments:n/a
          File size:129816 bytes
          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
          Start time:11:40:36
          Start date:27/05/2022
          Path:/usr/sbin/iptables
          Arguments:iptables -A INPUT -j DROP
          File size:99296 bytes
          MD5 hash:1ab05fef765b6342cdfadaa5275b33af