Linux Analysis Report
gmjJxVFJKQ

Overview

General Information

Sample Name: gmjJxVFJKQ
Analysis ID: 635404
MD5: a8fbc7563fe019ca689573d43d7797f3
SHA1: d9842c2d31a7357d8c92414edbff9e60fce317b2
SHA256: e92cdc162e5091c4916d12d2f4a5f7e7e9ffdb4dae8a18427d81f97ed08edcef
Tags: 32elfmipsmirai
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: gmjJxVFJKQ Virustotal: Detection: 23% Perma Link
Source: gmjJxVFJKQ ReversingLabs: Detection: 25%

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34194
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34196
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34200
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34216
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34240
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34270
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34276
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34278
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34284
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34290
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34296
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34314
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34336
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34362
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34380
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34384
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34390
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34406
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34416
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34422
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34428
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34432
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34440
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34444
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:39008 -> 45.95.169.139:9372
Sample listens on a socket
Source: /tmp/gmjJxVFJKQ (PID: 6231) Socket: 0.0.0.0::23 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 218.86.102.45
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 89.164.70.101
Source: unknown TCP traffic detected without corresponding DNS query: 217.177.184.187
Source: unknown TCP traffic detected without corresponding DNS query: 137.203.173.101
Source: unknown TCP traffic detected without corresponding DNS query: 155.99.22.98
Source: unknown TCP traffic detected without corresponding DNS query: 46.217.120.146
Source: unknown TCP traffic detected without corresponding DNS query: 186.170.70.118
Source: unknown TCP traffic detected without corresponding DNS query: 254.28.163.74
Source: unknown TCP traffic detected without corresponding DNS query: 245.178.131.122
Source: unknown TCP traffic detected without corresponding DNS query: 71.50.252.6
Source: unknown TCP traffic detected without corresponding DNS query: 247.241.101.225
Source: unknown TCP traffic detected without corresponding DNS query: 169.103.254.33
Source: unknown TCP traffic detected without corresponding DNS query: 217.149.131.222
Source: unknown TCP traffic detected without corresponding DNS query: 50.29.87.192
Source: unknown TCP traffic detected without corresponding DNS query: 154.78.128.153
Source: unknown TCP traffic detected without corresponding DNS query: 196.71.251.245
Source: unknown TCP traffic detected without corresponding DNS query: 182.198.255.62
Source: unknown TCP traffic detected without corresponding DNS query: 194.1.19.128
Source: unknown TCP traffic detected without corresponding DNS query: 184.80.135.250
Source: unknown TCP traffic detected without corresponding DNS query: 40.108.39.88
Source: unknown TCP traffic detected without corresponding DNS query: 58.131.100.205
Source: unknown TCP traffic detected without corresponding DNS query: 55.22.119.253
Source: unknown TCP traffic detected without corresponding DNS query: 123.60.253.41
Source: unknown TCP traffic detected without corresponding DNS query: 24.223.94.97
Source: unknown TCP traffic detected without corresponding DNS query: 124.255.49.41
Source: unknown TCP traffic detected without corresponding DNS query: 51.121.140.119
Source: unknown TCP traffic detected without corresponding DNS query: 174.66.91.90
Source: unknown TCP traffic detected without corresponding DNS query: 81.127.88.64
Source: unknown TCP traffic detected without corresponding DNS query: 146.138.186.154
Source: unknown TCP traffic detected without corresponding DNS query: 153.133.26.3
Source: unknown TCP traffic detected without corresponding DNS query: 5.246.6.138
Source: unknown TCP traffic detected without corresponding DNS query: 40.7.92.121
Source: unknown TCP traffic detected without corresponding DNS query: 168.213.213.48
Source: unknown TCP traffic detected without corresponding DNS query: 107.58.152.236
Source: unknown TCP traffic detected without corresponding DNS query: 106.140.190.10
Source: unknown TCP traffic detected without corresponding DNS query: 45.40.92.114
Source: unknown TCP traffic detected without corresponding DNS query: 38.118.238.219
Source: unknown TCP traffic detected without corresponding DNS query: 102.68.131.199
Source: unknown TCP traffic detected without corresponding DNS query: 153.58.190.192
Source: unknown TCP traffic detected without corresponding DNS query: 82.23.27.208
Source: unknown TCP traffic detected without corresponding DNS query: 42.80.232.227
Source: unknown TCP traffic detected without corresponding DNS query: 58.218.67.178
Source: unknown TCP traffic detected without corresponding DNS query: 178.186.128.30
Source: unknown TCP traffic detected without corresponding DNS query: 202.67.70.191
Source: unknown TCP traffic detected without corresponding DNS query: 107.229.100.210
Source: unknown TCP traffic detected without corresponding DNS query: 51.169.126.77
Source: unknown TCP traffic detected without corresponding DNS query: 18.233.116.93
Source: unknown TCP traffic detected without corresponding DNS query: 17.130.24.122
Source: gmjJxVFJKQ String found in binary or memory: http://upx.sf.net

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1576, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 2062, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6045, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6192, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6225, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6235, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: gmjJxVFJKQ, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Sample tries to kill a process (SIGKILL)
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1576, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 2062, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6045, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6192, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6225, result: successful Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) SIGKILL sent: pid: 6235, result: successful Jump to behavior
Source: classification engine Classification label: mal68.spre.troj.evad.lin@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Enumerates processes within the "proc" file system
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/6235/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/6193/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/6192/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/910/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/912/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/517/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/759/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/918/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/761/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/884/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/800/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/801/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/491/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/772/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/774/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/654/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/896/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/655/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/656/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/777/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/657/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/658/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4500/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4469/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4502/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/419/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/936/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/420/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/785/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1642/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/788/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/667/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/789/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/1648/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4492/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/6157/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2078/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2077/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2074/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2195/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/670/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/4490/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/2746/exe Jump to behavior
Source: /tmp/gmjJxVFJKQ (PID: 6231) File opened: /proc/793/exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34194
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34196
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34200
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34216
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34240
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34270
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34272
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34276
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34278
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34284
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34290
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34296
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34314
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34336
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34362
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34380
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34384
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34390
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34406
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34416
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34422
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34428
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34432
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34440
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 34444
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/gmjJxVFJKQ (PID: 6223) Queries kernel information via 'uname': Jump to behavior
Source: gmjJxVFJKQ, 6223.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6225.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6226.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6233.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6235.1.0000000001028965.00000000829b0766.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: gmjJxVFJKQ, 6223.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6225.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6226.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6233.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6235.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/gmjJxVFJKQSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gmjJxVFJKQ
Source: gmjJxVFJKQ, 6223.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6225.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6226.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6233.1.0000000001028965.00000000829b0766.rw-.sdmp, gmjJxVFJKQ, 6235.1.0000000001028965.00000000829b0766.rw-.sdmp Binary or memory string: &V!/etc/qemu-binfmt/mipsel
Source: gmjJxVFJKQ, 6223.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6225.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6226.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6233.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp, gmjJxVFJKQ, 6235.1.0000000043b059e0.00000000b73dc09b.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
179.181.176.98
 unknown Brazil
10429 TELEFONICABRASILSABR false
83.6.123.68
 unknown Poland
5617 TPNETPL false
212.117.245.240
 unknown European Union
3561 CENTURYLINK-LEGACY-SAVVISUS false
39.208.21.158
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
129.152.120.162
 unknown United States
7160 NETDYNAMICSUS false
78.134.1.110
 unknown Italy
35612 NGI-ASIT false
200.11.55.186
 unknown Peru
6147 TelefonicadelPeruSAAPE false
158.250.44.138
 unknown Russian Federation
2683 RADIO-MSURADIO-MSUEU false
76.197.217.4
 unknown United States
7018 ATT-INTERNET4US false
173.45.39.91
 unknown United States
33597 ATLANTIC-METRO-COMMUNICATIONS-II-INCUS false
129.154.158.48
 unknown United States
7160 NETDYNAMICSUS false
70.46.105.145
 unknown United States
7029 WINDSTREAMUS false
156.43.93.37
 unknown United Kingdom
3549 LVLT-3549US false
11.15.144.105
 unknown United States
3356 LEVEL3US false
63.34.86.17
 unknown United States
16509 AMAZON-02US false
52.118.189.55
 unknown United States
36351 SOFTLAYERUS false
115.76.201.180
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN false
207.142.100.93
 unknown United States
27229 WEBHOST-ASN1US false
152.133.192.199
 unknown United States
29992 VA-TMP-COREUS false
204.176.239.90
 unknown United States
701 UUNETUS false
114.8.69.141
 unknown Indonesia
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
181.13.216.197
 unknown Argentina
7303 TelecomArgentinaSAAR false
30.36.127.176
 unknown United States
7922 COMCAST-7922US false
112.114.205.160
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
149.148.16.109
 unknown Austria
2494 MUWNETMUWNETAutonomousSystemAT false
31.60.104.188
 unknown Poland
5617 TPNETPL false
22.200.27.214
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
43.64.131.238
 unknown Japan 4249 LILLY-ASUS false
96.209.51.126
 unknown United States
7922 COMCAST-7922US false
125.144.13.186
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
3.143.238.175
 unknown United States
16509 AMAZON-02US false
193.43.44.10
 unknown Italy
3269 ASN-IBSNAZIT false
211.133.52.222
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
108.197.70.158
 unknown United States
7018 ATT-INTERNET4US false
144.185.40.170
 unknown United States
19773 MOTOROLAUS false
104.150.9.208
 unknown United States
1832 SMUUS false
81.137.94.161
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
22.12.154.202
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
151.99.155.238
 unknown Italy
3269 ASN-IBSNAZIT false
31.219.177.128
 unknown United Arab Emirates
8966 ETISALAT-ASPOBox1150DubaiUAE false
137.145.59.136
 unknown United States
2152 CSUNET-NWUS false
23.200.128.157
 unknown United States
14638 LCPRLUS false
39.176.217.227
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
218.2.240.61
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
181.152.79.162
 unknown Colombia
26611 COMCELSACO false
78.119.70.105
 unknown France
8228 CEGETEL-ASFR false
130.125.217.205
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
18.230.73.245
 unknown United States
16509 AMAZON-02US false
73.160.78.147
 unknown United States
7922 COMCAST-7922US false
151.171.24.143
 unknown United States
3257 GTT-BACKBONEGTTDE false
31.89.219.233
 unknown United Kingdom
12576 EELtdGB false
128.30.226.157
 unknown United States
3 MIT-GATEWAYSUS false
183.57.192.37
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
151.255.85.241
 unknown Saudi Arabia
39451 MELBOURNE-ASGB false
39.163.166.11
 unknown China
24445 CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN false
197.252.128.197
 unknown Sudan
15706 SudatelSD false
105.114.236.209
 unknown Nigeria
36873 VNL1-ASNG false
29.146.52.83
 unknown United States
7922 COMCAST-7922US false
252.118.26.52
 unknown Reserved
unknown unknown false
145.55.14.173
 unknown United Kingdom
1103 SURFNET-NLSURFnetTheNetherlandsNL false
29.52.115.242
 unknown United States
7922 COMCAST-7922US false
210.85.166.50
 unknown Taiwan; Republic of China (ROC)
7482 APOL-ASAsiaPacificOn-lineServiceIncTW false
19.76.79.167
 unknown United States
3 MIT-GATEWAYSUS false
184.95.51.79
 unknown United States
20454 SSASN2US false
58.105.224.126
 unknown Australia
4804 MPX-ASMicroplexPTYLTDAU false
70.34.47.217
 unknown United States
15830 EQUINIX-CONNECT-EMEAGB false
81.225.146.229
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
58.32.178.207
 unknown China
4812 CHINANET-SH-APChinaTelecomGroupCN false
188.121.44.111
 unknown Germany
21501 GODADDY-AMSDE false
106.96.40.205
 unknown Korea Republic of
17853 LGTELECOM-AS-KRLGTELECOMKR false
242.161.53.186
 unknown Reserved
unknown unknown false
181.250.206.235
 unknown Colombia
26611 COMCELSACO false
18.176.199.11
 unknown United States
16509 AMAZON-02US false
142.5.110.66
 unknown Canada
46606 UNIFIEDLAYER-AS-1US false
114.235.99.95
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
162.139.66.206
 unknown Canada
40341 Q9-AS-CAL2CA false
48.16.103.185
 unknown United States
2686 ATGS-MMD-ASUS false
205.6.160.185
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
63.153.51.35
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
90.29.33.106
 unknown France
3215 FranceTelecom-OrangeFR false
212.58.250.50
 unknown United Kingdom
2818 BBCBBCInternetServicesUKGB false
42.215.246.135
 unknown China
4249 LILLY-ASUS false
161.253.110.135
 unknown United States
11039 GWUUS false
171.204.130.148
 unknown United States
10794 BANKAMERICAUS false
104.144.232.233
 unknown Canada
55286 SERVER-MANIACA false
183.105.106.47
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
158.218.168.105
 unknown United Kingdom
2907 SINET-ASResearchOrganizationofInformationandSystemsN false
36.119.225.165
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
220.165.128.130
 unknown China
134765 CHINANET-YUNNAN-IDC1CHINANETYunnanprovinceIDC1network false
56.227.65.101
 unknown United States
2686 ATGS-MMD-ASUS false
109.126.35.19
 unknown Russian Federation
42038 VLADLINK-ASRU false
159.38.64.36
 unknown Sweden
19399 SLLNETEU false
223.96.74.95
 unknown China
24444 CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany false
252.33.149.249
 unknown Reserved
unknown unknown false
57.217.232.34
 unknown Belgium
2686 ATGS-MMD-ASUS false
31.226.76.24
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
139.35.103.114
 unknown United States
9905 LINKNET-ID-APLinknetASNID false
83.76.95.50
 unknown Switzerland
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
110.113.89.16
 unknown China
24138 CTTNETChinaTieTongTelecommunicationsCorporationCN false
19.133.219.65
 unknown United States
3 MIT-GATEWAYSUS false