Linux Analysis Report
5zKnElN0F2

Overview

General Information

Sample Name: 5zKnElN0F2
Analysis ID: 635411
MD5: d74bf4db8e2e43cbdc9c527ec15356b0
SHA1: 5de6b4e1a4b1f896ec6b3b6b473c8afb4d6f40a1
SHA256: c0b3f4b9a9a57965c0429b5199e634012e223a4617a13a89dc5e2508085e5575
Tags: 32elfmiraipowerpc
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 5zKnElN0F2 ReversingLabs: Detection: 30%

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50378
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50380
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50382
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50384
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50388
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50392
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50396
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50402
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50414
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50422
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50430
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50434
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50436
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50444
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50448
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50456
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50466
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50478
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50482
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50492
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50494
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54182
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54194
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54200
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54206
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54212
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54218
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54228
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54232
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54238
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54244
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54250
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54258
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54276
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54288
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54306
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54332
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54352
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54366
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54384
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54408
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54436
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54460
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54486
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57128
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57140
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57142
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57146
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57156
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:39008 -> 45.95.169.139:9372
Sample listens on a socket
Source: /tmp/5zKnElN0F2 (PID: 6233) Socket: 0.0.0.0::23 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 249.169.15.40
Source: unknown TCP traffic detected without corresponding DNS query: 104.199.228.40
Source: unknown TCP traffic detected without corresponding DNS query: 20.56.144.190
Source: unknown TCP traffic detected without corresponding DNS query: 103.176.96.40
Source: unknown TCP traffic detected without corresponding DNS query: 29.151.218.80
Source: unknown TCP traffic detected without corresponding DNS query: 192.5.233.79
Source: unknown TCP traffic detected without corresponding DNS query: 203.254.91.17
Source: unknown TCP traffic detected without corresponding DNS query: 197.68.217.22
Source: unknown TCP traffic detected without corresponding DNS query: 172.136.171.162
Source: unknown TCP traffic detected without corresponding DNS query: 84.169.157.116
Source: unknown TCP traffic detected without corresponding DNS query: 70.83.239.117
Source: unknown TCP traffic detected without corresponding DNS query: 189.56.57.181
Source: unknown TCP traffic detected without corresponding DNS query: 147.145.145.36
Source: unknown TCP traffic detected without corresponding DNS query: 124.80.238.203
Source: unknown TCP traffic detected without corresponding DNS query: 82.36.65.251
Source: unknown TCP traffic detected without corresponding DNS query: 201.154.224.153
Source: unknown TCP traffic detected without corresponding DNS query: 204.218.135.134
Source: unknown TCP traffic detected without corresponding DNS query: 126.67.223.153
Source: unknown TCP traffic detected without corresponding DNS query: 94.128.230.229
Source: unknown TCP traffic detected without corresponding DNS query: 240.228.179.208
Source: unknown TCP traffic detected without corresponding DNS query: 16.182.131.136
Source: unknown TCP traffic detected without corresponding DNS query: 44.65.107.245
Source: unknown TCP traffic detected without corresponding DNS query: 75.106.47.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.127.90.198
Source: unknown TCP traffic detected without corresponding DNS query: 108.135.179.99
Source: unknown TCP traffic detected without corresponding DNS query: 252.151.202.166
Source: unknown TCP traffic detected without corresponding DNS query: 142.27.4.128
Source: unknown TCP traffic detected without corresponding DNS query: 32.150.0.9
Source: unknown TCP traffic detected without corresponding DNS query: 178.182.189.196
Source: unknown TCP traffic detected without corresponding DNS query: 247.142.150.14
Source: unknown TCP traffic detected without corresponding DNS query: 95.80.50.226
Source: unknown TCP traffic detected without corresponding DNS query: 145.119.160.167
Source: unknown TCP traffic detected without corresponding DNS query: 126.53.28.195
Source: unknown TCP traffic detected without corresponding DNS query: 60.37.188.179
Source: unknown TCP traffic detected without corresponding DNS query: 53.12.116.174
Source: unknown TCP traffic detected without corresponding DNS query: 8.47.163.205
Source: unknown TCP traffic detected without corresponding DNS query: 151.232.166.68
Source: unknown TCP traffic detected without corresponding DNS query: 254.203.17.44
Source: unknown TCP traffic detected without corresponding DNS query: 163.138.31.255
Source: unknown TCP traffic detected without corresponding DNS query: 204.211.151.168
Source: unknown TCP traffic detected without corresponding DNS query: 46.84.226.86
Source: unknown TCP traffic detected without corresponding DNS query: 82.73.227.91
Source: unknown TCP traffic detected without corresponding DNS query: 109.62.224.105
Source: unknown TCP traffic detected without corresponding DNS query: 217.116.246.176
Source: unknown TCP traffic detected without corresponding DNS query: 212.139.142.36
Source: unknown TCP traffic detected without corresponding DNS query: 245.8.37.2
Source: unknown TCP traffic detected without corresponding DNS query: 249.52.26.203
Source: unknown TCP traffic detected without corresponding DNS query: 187.217.81.167
Source: unknown TCP traffic detected without corresponding DNS query: 76.117.182.151
Source: 5zKnElN0F2 String found in binary or memory: http://upx.sf.net

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1576, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 2062, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6045, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6189, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6227, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6238, result: successful Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: 5zKnElN0F2, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Sample tries to kill a process (SIGKILL)
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 904, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1463, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1465, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1576, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1890, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 2062, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6045, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6189, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6227, result: successful Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) SIGKILL sent: pid: 6238, result: successful Jump to behavior
Source: classification engine Classification label: mal68.spre.troj.evad.lin@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Enumerates processes within the "proc" file system
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/6235/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/6194/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/910/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/6227/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/912/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/517/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/759/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/918/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/761/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/884/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/800/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/6238/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/801/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/491/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/772/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/774/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/654/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/896/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/655/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/656/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/777/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/657/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/658/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4469/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4502/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/419/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/936/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/420/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/785/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1642/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/788/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/667/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/789/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/1648/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4495/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/6156/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4498/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2078/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2077/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2074/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2195/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/670/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/4490/exe Jump to behavior
Source: /tmp/5zKnElN0F2 (PID: 6233) File opened: /proc/2746/exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50378
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50380
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50382
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50384
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50388
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50392
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50396
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50402
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50414
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50422
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50430
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50434
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50436
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50444
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50448
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50456
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50462
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50466
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50468
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50478
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50482
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50488
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50492
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 50494
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54182
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54194
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54200
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54206
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54212
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54218
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54222
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54228
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54232
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54238
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54244
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54250
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54258
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54274
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54276
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54288
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54306
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54332
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54352
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54366
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54384
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54408
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54436
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54460
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54474
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 54486
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57128
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57140
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57142
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57146
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57156
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/5zKnElN0F2 (PID: 6225) Queries kernel information via 'uname': Jump to behavior
Source: 5zKnElN0F2, 6225.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000e3b31b61.00000000feb11032.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: 5zKnElN0F2, 6225.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6229.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000258270c1.0000000060d5cb64.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/5zKnElN0F2SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/5zKnElN0F2
Source: 5zKnElN0F2, 6229.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000e3b31b61.00000000feb11032.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: 5zKnElN0F2, 6225.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6229.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000e3b31b61.00000000feb11032.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: 5zKnElN0F2, 6225.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6229.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000258270c1.0000000060d5cb64.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
248.213.59.144
 unknown Reserved
unknown unknown false
251.130.127.226
 unknown Reserved
unknown unknown false
88.75.6.154
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
152.40.102.106
 unknown United States
53785 UNC-GREENSBOROUS false
152.38.121.52
 unknown United States
81 NCRENUS false
202.218.0.155
 unknown Japan 4694 IDCFIDCFrontierIncJP false
85.84.124.101
 unknown Spain
12338 EUSKALTELES false
181.242.239.177
 unknown Colombia
26611 COMCELSACO false
166.17.196.160
 unknown United States
206 CSC-IGN-AMERUS false
6.71.232.135
 unknown United States
1479 DNIC-ASBLK-01478-01479US false
215.140.101.179
 unknown United States
721 DNIC-ASBLK-00721-00726US false
131.67.195.233
 unknown United States
138 DNIC-AS-00138US false
216.47.114.137
 unknown United States
397187 NHN-GLOBALUS false
175.44.191.61
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
57.95.244.181
 unknown Belgium
51964 ORANGE-BUSINESS-SERVICES-IPSN-ASNFR false
182.181.115.112
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK false
147.36.189.252
 unknown United States
1559 DNIC-ASBLK-01550-01601US false
16.163.191.244
 unknown United States
unknown unknown false
102.125.211.85
 unknown Sudan
36972 MTNSD false
242.207.165.243
 unknown Reserved
unknown unknown false
220.146.79.49
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
59.204.179.210
 unknown China
2516 KDDIKDDICORPORATIONJP false
176.67.118.196
 unknown Palestinian Territory Occupied
51407 MADA-ASPS false
95.225.107.120
 unknown Italy
3269 ASN-IBSNAZIT false
7.179.30.152
 unknown United States
3356 LEVEL3US false
209.248.243.235
 unknown United States
7029 WINDSTREAMUS false
21.7.113.27
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
17.3.87.47
 unknown United States
714 APPLE-ENGINEERINGUS false
72.97.169.89
 unknown United States
22394 CELLCOUS false
57.141.231.103
 unknown Belgium
2686 ATGS-MMD-ASUS false
91.220.89.64
 unknown Austria
51767 JOHANNITER-UNFALL-HILFEAT false
11.33.204.40
 unknown United States
3356 LEVEL3US false
70.30.247.30
 unknown Canada
577 BACOMCA false
98.19.126.216
 unknown United States
7029 WINDSTREAMUS false
173.7.4.52
 unknown United States
10507 SPCSUS false
64.123.49.206
 unknown United States
7018 ATT-INTERNET4US false
71.161.139.71
 unknown United States
701 UUNETUS false
221.27.57.106
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
57.252.101.85
 unknown Belgium
2686 ATGS-MMD-ASUS false
221.239.50.117
 unknown China
17638 CHINATELECOM-TJ-AS-APASNforTIANJINProvincialNetofCT false
60.26.69.53
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
67.116.193.63
 unknown United States
7018 ATT-INTERNET4US false
160.184.16.245
 unknown South Africa
36903 MT-MPLSMA false
251.16.126.103
 unknown Reserved
unknown unknown false
193.245.180.21
 unknown Belgium
3549 LVLT-3549US false
8.188.45.192
 unknown Singapore
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
125.143.119.66
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
152.31.80.240
 unknown United States
6559 NCIHUS false
12.92.121.104
 unknown United States
7018 ATT-INTERNET4US false
215.126.53.189
 unknown United States
721 DNIC-ASBLK-00721-00726US false
3.131.241.119
 unknown United States
16509 AMAZON-02US false
191.92.238.155
 unknown Colombia
27831 ColombiaMovilCO false
24.26.58.217
 unknown United States
10796 TWC-10796-MIDWESTUS false
63.72.64.154
 unknown United States
701 UUNETUS false
9.115.4.121
 unknown United States
3356 LEVEL3US false
57.25.76.38
 unknown Belgium
2686 ATGS-MMD-ASUS false
167.38.155.197
 unknown Canada
2665 CDAGOVNCA false
163.151.39.36
 unknown United States
36161 WESTCHESTERCOUNTY-NYUS false
82.224.120.126
 unknown France
12322 PROXADFR false
53.72.59.103
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
171.130.11.59
 unknown United States
9874 STARHUB-MOBILEStarHubLtdSG false
215.91.18.89
 unknown United States
721 DNIC-ASBLK-00721-00726US false
25.254.25.135
 unknown United Kingdom
199055 UKCLOUD-ASGB false
71.192.101.169
 unknown United States
7922 COMCAST-7922US false
85.196.199.247
 unknown Estonia
61307 EE-AS-STVEE false
91.250.181.214
 unknown Spain
12479 UNI2-ASES false
215.55.124.124
 unknown United States
721 DNIC-ASBLK-00721-00726US false
109.218.10.173
 unknown France
3215 FranceTelecom-OrangeFR false
100.188.108.206
 unknown United States
21928 T-MOBILE-AS21928US false
181.66.216.170
 unknown Peru
6147 TelefonicadelPeruSAAPE false
18.107.223.195
 unknown United States
3 MIT-GATEWAYSUS false
119.80.115.135
 unknown China
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
176.151.103.215
 unknown France
5410 BOUYGTEL-ISPFR false
96.105.107.122
 unknown United States
7922 COMCAST-7922US false
160.95.83.51
 unknown United States
217 UMN-SYSTEMUS false
209.219.101.83
 unknown United States
7029 WINDSTREAMUS false
159.197.33.178
 unknown United Kingdom
1273 CWVodafoneGroupPLCEU false
141.238.20.159
 unknown United States
395015 SUNY-FREDONIAUS false
100.63.227.120
 unknown United States
701 UUNETUS false
163.226.55.140
 unknown Japan 24297 FCNUniversityPublicCorporationOsakaJP false
189.166.254.5
 unknown Mexico
8151 UninetSAdeCVMX false
130.247.179.246
 unknown United States
786 JANETJiscServicesLimitedGB false
40.196.42.224
 unknown United States
4249 LILLY-ASUS false
134.214.79.249
 unknown France
2060 FR-RENATERRENATER_ASNBLOCK1EU false
244.140.81.28
 unknown Reserved
unknown unknown false
86.176.103.153
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
145.208.19.23
 unknown Netherlands
1101 IP-EEND-ASIP-EENDBVNL false
113.105.159.164
 unknown China
134763 CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN false
105.91.86.94
 unknown Egypt
36992 ETISALAT-MISREG false
12.141.232.110
 unknown United States
7018 ATT-INTERNET4US false
31.172.254.55
 unknown United Kingdom
34920 SIMPLY-ROMFORDGB false
76.144.187.104
 unknown United States
7922 COMCAST-7922US false
4.0.229.194
 unknown United States
3356 LEVEL3US false
48.35.173.172
 unknown United States
2686 ATGS-MMD-ASUS false
170.178.42.2
 unknown United States
11685 HNBCOL-ASUS false
61.207.245.49
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
195.189.238.150
 unknown Russian Federation
41654 INETRARU false
1.5.141.51
 unknown Japan 4725 ODNSoftBankMobileCorpJP false
186.224.149.70
 unknown Brazil
28580 CILNETComunicacaoeInformaticaLTDABR false
255.150.73.125
 unknown Reserved
unknown unknown false