Linux Analysis Report
SBNGwWC7Wb

Overview

General Information

Sample Name: SBNGwWC7Wb
Analysis ID: 635393
MD5: 275c6e393dcacee32b9ddd8bb4ad8196
SHA1: 64a8605d5f69142a08385b359d3a6fd73120880d
SHA256: bb0fea23f67c783d1b0d3f8f92e1fd91f1c5d85f7782bc135f0269057e2ab4c3
Tags: 32elfmipsmirai
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection

barindex
Source: SBNGwWC7Wb Virustotal: Detection: 21% Perma Link
Source: SBNGwWC7Wb ReversingLabs: Detection: 25%

Networking

barindex
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38050
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38056
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38064
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38066
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38072
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38076
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38078
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38080
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38082
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38092
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38096
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38100
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38104
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38110
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38112
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38128
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38174
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38218
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38242
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38260
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38266
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38304
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48146
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48164
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48176
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48214
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48230
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48250
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48270
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48288
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48312
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48330
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48350
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48368
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48396
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48458
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48480
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48502
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48524
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48550
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36132
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48568
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36152
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36170
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48594
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36196
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48626
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48652
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36246
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48684
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36302
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36318
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36328
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36346
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36360
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36382
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36402
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36424
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36526
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36534
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36542
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36546
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36554
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36568
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36588
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36636
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36662
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:39008 -> 45.95.169.139:9372
Source: /tmp/SBNGwWC7Wb (PID: 6234) Socket: 0.0.0.0::23 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 63.71.236.63
Source: unknown TCP traffic detected without corresponding DNS query: 114.11.7.63
Source: unknown TCP traffic detected without corresponding DNS query: 139.141.47.182
Source: unknown TCP traffic detected without corresponding DNS query: 95.124.131.63
Source: unknown TCP traffic detected without corresponding DNS query: 213.120.200.66
Source: unknown TCP traffic detected without corresponding DNS query: 166.43.190.18
Source: unknown TCP traffic detected without corresponding DNS query: 38.53.114.202
Source: unknown TCP traffic detected without corresponding DNS query: 11.232.197.117
Source: unknown TCP traffic detected without corresponding DNS query: 96.168.229.181
Source: unknown TCP traffic detected without corresponding DNS query: 137.11.225.229
Source: unknown TCP traffic detected without corresponding DNS query: 23.32.199.1
Source: unknown TCP traffic detected without corresponding DNS query: 242.149.47.248
Source: unknown TCP traffic detected without corresponding DNS query: 252.85.7.122
Source: unknown TCP traffic detected without corresponding DNS query: 47.234.140.22
Source: unknown TCP traffic detected without corresponding DNS query: 173.94.178.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.139.163.1
Source: unknown TCP traffic detected without corresponding DNS query: 43.120.4.1
Source: unknown TCP traffic detected without corresponding DNS query: 195.141.98.39
Source: unknown TCP traffic detected without corresponding DNS query: 44.155.181.185
Source: unknown TCP traffic detected without corresponding DNS query: 248.164.162.83
Source: unknown TCP traffic detected without corresponding DNS query: 251.88.185.91
Source: unknown TCP traffic detected without corresponding DNS query: 119.86.111.240
Source: unknown TCP traffic detected without corresponding DNS query: 251.53.225.130
Source: unknown TCP traffic detected without corresponding DNS query: 96.65.139.164
Source: unknown TCP traffic detected without corresponding DNS query: 102.51.242.244
Source: unknown TCP traffic detected without corresponding DNS query: 249.0.64.154
Source: unknown TCP traffic detected without corresponding DNS query: 21.27.160.173
Source: unknown TCP traffic detected without corresponding DNS query: 143.72.214.224
Source: unknown TCP traffic detected without corresponding DNS query: 139.247.185.140
Source: unknown TCP traffic detected without corresponding DNS query: 3.79.46.235
Source: unknown TCP traffic detected without corresponding DNS query: 129.249.147.96
Source: unknown TCP traffic detected without corresponding DNS query: 123.212.21.227
Source: unknown TCP traffic detected without corresponding DNS query: 90.240.50.9
Source: unknown TCP traffic detected without corresponding DNS query: 60.106.246.77
Source: unknown TCP traffic detected without corresponding DNS query: 8.168.135.183
Source: unknown TCP traffic detected without corresponding DNS query: 143.70.171.206
Source: unknown TCP traffic detected without corresponding DNS query: 80.204.106.229
Source: unknown TCP traffic detected without corresponding DNS query: 3.63.126.132
Source: unknown TCP traffic detected without corresponding DNS query: 159.6.169.8
Source: unknown TCP traffic detected without corresponding DNS query: 161.83.96.126
Source: unknown TCP traffic detected without corresponding DNS query: 140.65.55.67
Source: unknown TCP traffic detected without corresponding DNS query: 23.150.236.123
Source: unknown TCP traffic detected without corresponding DNS query: 28.116.95.220
Source: unknown TCP traffic detected without corresponding DNS query: 53.3.91.208
Source: unknown TCP traffic detected without corresponding DNS query: 196.192.149.130
Source: unknown TCP traffic detected without corresponding DNS query: 141.71.20.212
Source: unknown TCP traffic detected without corresponding DNS query: 132.41.22.128
Source: unknown TCP traffic detected without corresponding DNS query: 11.178.47.154
Source: SBNGwWC7Wb String found in binary or memory: http://upx.sf.net

System Summary

barindex
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1576, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 2062, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6042, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6187, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6226, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6238, result: successful Jump to behavior
Source: LOAD without section mappings Program segment: 0x100000
Source: SBNGwWC7Wb, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1576, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 2062, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6042, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6187, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6226, result: successful Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) SIGKILL sent: pid: 6238, result: successful Jump to behavior
Source: classification engine Classification label: mal68.spre.troj.evad.lin@0/0@0/0

Data Obfuscation

barindex
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/910/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/6226/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/912/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/517/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/759/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/918/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/6240/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/761/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/884/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/800/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/6238/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/801/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/491/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/772/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/774/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/654/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/896/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/655/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/656/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/777/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/657/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/658/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/4469/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/419/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/936/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/420/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/785/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1642/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/788/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/667/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/789/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1648/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/6152/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/4495/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/6159/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/4498/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2078/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2077/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2074/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2195/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/670/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/2746/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/793/exe Jump to behavior
Source: /tmp/SBNGwWC7Wb (PID: 6234) File opened: /proc/1656/exe Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38050
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38056
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38064
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38066
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38072
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38076
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38078
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38080
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38082
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38092
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38096
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38100
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38104
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38110
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38112
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38128
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38174
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38218
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38242
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38260
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38266
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38304
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48146
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48164
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48176
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48214
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48230
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48250
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48270
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48288
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48312
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48330
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48350
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48368
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48396
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48458
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48480
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48502
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48524
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48550
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36132
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48568
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36152
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36170
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48594
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36196
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48626
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48652
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36246
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48684
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 48718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36302
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36318
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36328
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36346
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36360
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36382
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36402
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36424
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36526
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36534
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36542
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36546
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36554
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36568
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36588
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36636
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36662
Source: /tmp/SBNGwWC7Wb (PID: 6224) Queries kernel information via 'uname': Jump to behavior
Source: SBNGwWC7Wb, 6224.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000e275f183.00000000a359d085.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mips
Source: SBNGwWC7Wb, 6224.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000e275f183.00000000a359d085.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: SBNGwWC7Wb, 6224.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: SBNGwWC7Wb, 6224.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp Binary or memory string: r#x86_64/usr/bin/qemu-mips/tmp/SBNGwWC7WbSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SBNGwWC7Wb

Stealing of Sensitive Information

barindex
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality

barindex
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs