Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
QSZX0h5asQ

Overview

General Information

Sample Name:QSZX0h5asQ
Analysis ID:635059
MD5:91638d450f8a4faf1061dfe5f283044d
SHA1:93e405ba8f5dcf8f55b631703772652dadaa39be
SHA256:b6615f5067419bdad205b51bade85b152082dc6ff2357f98f83a9b50f842004f
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Opens /proc/net/* files useful for finding connected devices and routers
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:635059
Start date and time: 27/05/202211:55:472022-05-27 11:55:47 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:QSZX0h5asQ
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.spre.troj.evad.lin@0/0@0/0
  • Connection to analysis system has been lost, crash info: Unknown
  • system is lnxubuntu20
  • QSZX0h5asQ (PID: 6225, Parent: 6131, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/QSZX0h5asQ
    • QSZX0h5asQ New Fork (PID: 6230, Parent: 6225)
      • QSZX0h5asQ New Fork (PID: 6232, Parent: 6230)
        • sh (PID: 6234, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
          • sh New Fork (PID: 6237, Parent: 6234)
          • rm (PID: 6237, Parent: 6234, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/QSZX0h5asQ /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
        • sh (PID: 6248, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"
          • sh New Fork (PID: 6250, Parent: 6248)
          • rm (PID: 6250, Parent: 6248, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp
        • sh (PID: 6251, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"
          • sh New Fork (PID: 6253, Parent: 6251)
          • rm (PID: 6253, Parent: 6251, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*
        • sh (PID: 6254, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"
          • sh New Fork (PID: 6256, Parent: 6254)
          • rm (PID: 6256, Parent: 6254, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat
        • sh (PID: 6257, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"
          • sh New Fork (PID: 6259, Parent: 6257)
          • pkill (PID: 6259, Parent: 6257, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox
        • sh (PID: 6264, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"
          • sh New Fork (PID: 6266, Parent: 6264)
          • pkill (PID: 6266, Parent: 6264, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl
        • sh (PID: 6267, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"
          • sh New Fork (PID: 6269, Parent: 6267)
          • pkill (PID: 6269, Parent: 6267, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python
        • sh (PID: 6272, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -j DROP"
          • sh New Fork (PID: 6274, Parent: 6272)
          • iptables (PID: 6274, Parent: 6272, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -j DROP
  • cleanup
SourceRuleDescriptionAuthorStrings
QSZX0h5asQSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x9bf8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x9c67:$s2: $Id: UPX
  • 0x9c18:$s3: $Info: This file is packed with the UPX executable packer
SourceRuleDescriptionAuthorStrings
6228.1.00000000e9eec560.0000000058e523d7.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    6230.1.00000000e9eec560.0000000058e523d7.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6225.1.00000000e9eec560.0000000058e523d7.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: QSZX0h5asQVirustotal: Detection: 36%Perma Link
        Source: /usr/bin/pkill (PID: 6259)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6269)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

        Spreading

        barindex
        Source: /tmp/QSZX0h5asQ (PID: 6225)Opens: /proc/net/routeJump to behavior
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: QSZX0h5asQString found in binary or memory: http://upx.sf.net
        Source: LOAD without section mappingsProgram segment: 0x100000
        Source: QSZX0h5asQ, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
        Source: classification engineClassification label: mal72.spre.troj.evad.lin@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /bin/sh (PID: 6259)Pkill executable: /usr/bin/pkill -> pkill -9 busyboxJump to behavior
        Source: /bin/sh (PID: 6266)Pkill executable: /usr/bin/pkill -> pkill -9 perlJump to behavior
        Source: /bin/sh (PID: 6269)Pkill executable: /usr/bin/pkill -> pkill -9 pythonJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/6232/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/6232/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/6235/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/6235/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1582/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1582/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/3088/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/3088/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/230/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/230/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/110/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/110/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/231/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/231/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/111/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/111/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/232/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/232/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1579/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1579/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/112/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/112/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/233/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/233/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1699/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1699/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/113/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/113/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/234/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/234/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1335/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1335/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1698/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1698/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/114/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/114/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/235/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/235/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1334/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1334/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1576/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1576/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/2302/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/2302/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/115/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/115/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/236/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/236/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/116/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/116/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/237/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/237/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/117/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/117/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/118/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/118/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/910/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/910/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/119/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/119/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/912/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/912/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/10/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/10/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/2307/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/2307/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/11/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/11/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/918/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/918/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/12/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/12/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/13/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/13/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/14/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/14/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/15/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/15/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/16/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/16/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/17/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/17/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/18/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/18/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1594/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1594/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/120/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/120/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/121/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/121/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1349/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1349/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/1/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/122/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/122/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/243/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/243/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/123/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/123/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/2/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/2/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/124/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/124/cmdlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/3/statusJump to behavior
        Source: /usr/bin/pkill (PID: 6266)File opened: /proc/3/cmdlineJump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6234)Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6248)Shell command executed: sh -c "rm -rf /var/log/wtmp"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6251)Shell command executed: sh -c "rm -rf /tmp/*"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6254)Shell command executed: sh -c "rm -rf /bin/netstat"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6257)Shell command executed: sh -c "pkill -9 busybox"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6264)Shell command executed: sh -c "pkill -9 perl"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6267)Shell command executed: sh -c "pkill -9 python"Jump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6272)Shell command executed: sh -c "iptables -A INPUT -j DROP"Jump to behavior
        Source: /bin/sh (PID: 6237)Rm executable: /usr/bin/rm -> rm -rf /tmp/QSZX0h5asQ /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnafJump to behavior
        Source: /bin/sh (PID: 6250)Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmpJump to behavior
        Source: /bin/sh (PID: 6253)Rm executable: /usr/bin/rm -> rm -rf /tmp/*Jump to behavior
        Source: /bin/sh (PID: 6256)Rm executable: /usr/bin/rm -> rm -rf /bin/netstatJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: /usr/bin/rm (PID: 6237)File: /tmp/QSZX0h5asQJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: /usr/bin/rm (PID: 6250)Truncated file: /var/log/wtmpJump to behavior
        Source: /usr/bin/pkill (PID: 6259)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6266)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/pkill (PID: 6269)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
        Source: /usr/bin/rm (PID: 6250)Truncated file: /var/log/wtmpJump to behavior
        Source: /tmp/QSZX0h5asQ (PID: 6225)Queries kernel information via 'uname': Jump to behavior
        Source: QSZX0h5asQ, 6225.1.00000000060f9c4e.00000000a246f620.rw-.sdmp, QSZX0h5asQ, 6228.1.00000000060f9c4e.00000000a246f620.rw-.sdmp, QSZX0h5asQ, 6230.1.00000000060f9c4e.00000000a246f620.rw-.sdmpBinary or memory string: 1x86_64/usr/bin/qemu-mipsel/tmp/QSZX0h5asQSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/QSZX0h5asQ
        Source: QSZX0h5asQ, 6225.1.000000004a1973cf.00000000e807843f.rw-.sdmp, QSZX0h5asQ, 6228.1.000000004a1973cf.00000000e807843f.rw-.sdmp, QSZX0h5asQ, 6230.1.000000004a1973cf.00000000e807843f.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
        Source: QSZX0h5asQ, 6225.1.000000004a1973cf.00000000e807843f.rw-.sdmp, QSZX0h5asQ, 6228.1.000000004a1973cf.00000000e807843f.rw-.sdmp, QSZX0h5asQ, 6230.1.000000004a1973cf.00000000e807843f.rw-.sdmpBinary or memory string: 4V!/etc/qemu-binfmt/mipsel
        Source: QSZX0h5asQ, 6225.1.00000000060f9c4e.00000000a246f620.rw-.sdmp, QSZX0h5asQ, 6228.1.00000000060f9c4e.00000000a246f620.rw-.sdmp, QSZX0h5asQ, 6230.1.00000000060f9c4e.00000000a246f620.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 6228.1.00000000e9eec560.0000000058e523d7.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6230.1.00000000e9eec560.0000000058e523d7.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6225.1.00000000e9eec560.0000000058e523d7.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 6228.1.00000000e9eec560.0000000058e523d7.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6230.1.00000000e9eec560.0000000058e523d7.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6225.1.00000000e9eec560.0000000058e523d7.r-x.sdmp, type: MEMORY
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Scripting
        Path InterceptionPath Interception1
        Disable or Modify Tools
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Scripting
        LSASS Memory1
        System Information Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
        Indicator Removal on Host
        Security Account Manager1
        Remote System Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Obfuscated Files or Information
        NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
        File Deletion
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635059 Sample: QSZX0h5asQ Startdate: 27/05/2022 Architecture: LINUX Score: 72 42 109.202.202.202, 80 INIT7CH Switzerland 2->42 44 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->44 46 2 other IPs or domains 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Mirai 2->50 52 Sample is packed with UPX 2->52 10 QSZX0h5asQ 2->10         started        signatures3 process4 signatures5 54 Opens /proc/net/* files useful for finding connected devices and routers 10->54 13 QSZX0h5asQ 10->13         started        15 QSZX0h5asQ 10->15         started        process6 process7 17 QSZX0h5asQ 13->17         started        process8 19