Edit tour

Linux Analysis Report
5zKnElN0F2

Overview

General Information

Sample Name:	5zKnElN0F2
Analysis ID:	635411
MD5:	d74bf4db8e2e43cbdc9c527ec15356b0
SHA1:	5de6b4e1a4b1f896ec6b3b6b473c8afb4d6f40a1
SHA256:	c0b3f4b9a9a57965c0429b5199e634012e223a4617a13a89dc5e2508085e5575
Tags:	32elfmiraipowerpc
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill multiple processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635411
Start date and time: 27/05/202221:16:42	2022-05-27 21:16:42 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	5zKnElN0F2
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.spre.troj.evad.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100
VT rate limit hit for: 5zKnElN0F2

Runtime Messages

Command:	/tmp/5zKnElN0F2
PID:	6225
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Infected
Standard Error:

Process Tree

system is lnxubuntu20

5zKnElN0F2 (PID: 6225, Parent: 6126, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/5zKnElN0F2

5zKnElN0F2 New Fork (PID: 6227, Parent: 6225)

5zKnElN0F2 New Fork (PID: 6229, Parent: 6225)

5zKnElN0F2 New Fork (PID: 6233, Parent: 6229)

5zKnElN0F2 New Fork (PID: 6236, Parent: 6229)

5zKnElN0F2 New Fork (PID: 6238, Parent: 6236)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5zKnElN0F2	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x9154:$s1: PROT_EXEC\|PROT_WRITE failed. 0x91c3:$s2: $Id: UPX 0x9174:$s3: $Info: This file is packed with the UPX executable packer

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 5zKnElN0F2

ReversingLabs: Detection: 30%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50380
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50382
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50388
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50392
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50400
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50420
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50430
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50434
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50436
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50448
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50456
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50468
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50474
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50478
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50494
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54188
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54206
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54212
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54218
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54222
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54228
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54244
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54250
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54258
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54306
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54332
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54352
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54436
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54460
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54474
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57156

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:39008 -> 45.95.169.139:9372

Source: /tmp/5zKnElN0F2 (PID: 6233)

Socket: 0.0.0.0::23

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 249.169.15.40
Source: unknown	TCP traffic detected without corresponding DNS query: 104.199.228.40
Source: unknown	TCP traffic detected without corresponding DNS query: 20.56.144.190
Source: unknown	TCP traffic detected without corresponding DNS query: 103.176.96.40
Source: unknown	TCP traffic detected without corresponding DNS query: 29.151.218.80
Source: unknown	TCP traffic detected without corresponding DNS query: 192.5.233.79
Source: unknown	TCP traffic detected without corresponding DNS query: 203.254.91.17
Source: unknown	TCP traffic detected without corresponding DNS query: 197.68.217.22
Source: unknown	TCP traffic detected without corresponding DNS query: 172.136.171.162
Source: unknown	TCP traffic detected without corresponding DNS query: 84.169.157.116
Source: unknown	TCP traffic detected without corresponding DNS query: 70.83.239.117
Source: unknown	TCP traffic detected without corresponding DNS query: 189.56.57.181
Source: unknown	TCP traffic detected without corresponding DNS query: 147.145.145.36
Source: unknown	TCP traffic detected without corresponding DNS query: 124.80.238.203
Source: unknown	TCP traffic detected without corresponding DNS query: 82.36.65.251
Source: unknown	TCP traffic detected without corresponding DNS query: 201.154.224.153
Source: unknown	TCP traffic detected without corresponding DNS query: 204.218.135.134
Source: unknown	TCP traffic detected without corresponding DNS query: 126.67.223.153
Source: unknown	TCP traffic detected without corresponding DNS query: 94.128.230.229
Source: unknown	TCP traffic detected without corresponding DNS query: 240.228.179.208
Source: unknown	TCP traffic detected without corresponding DNS query: 16.182.131.136
Source: unknown	TCP traffic detected without corresponding DNS query: 44.65.107.245
Source: unknown	TCP traffic detected without corresponding DNS query: 75.106.47.86
Source: unknown	TCP traffic detected without corresponding DNS query: 137.127.90.198
Source: unknown	TCP traffic detected without corresponding DNS query: 108.135.179.99
Source: unknown	TCP traffic detected without corresponding DNS query: 252.151.202.166
Source: unknown	TCP traffic detected without corresponding DNS query: 142.27.4.128
Source: unknown	TCP traffic detected without corresponding DNS query: 32.150.0.9
Source: unknown	TCP traffic detected without corresponding DNS query: 178.182.189.196
Source: unknown	TCP traffic detected without corresponding DNS query: 247.142.150.14
Source: unknown	TCP traffic detected without corresponding DNS query: 95.80.50.226
Source: unknown	TCP traffic detected without corresponding DNS query: 145.119.160.167
Source: unknown	TCP traffic detected without corresponding DNS query: 126.53.28.195
Source: unknown	TCP traffic detected without corresponding DNS query: 60.37.188.179
Source: unknown	TCP traffic detected without corresponding DNS query: 53.12.116.174
Source: unknown	TCP traffic detected without corresponding DNS query: 8.47.163.205
Source: unknown	TCP traffic detected without corresponding DNS query: 151.232.166.68
Source: unknown	TCP traffic detected without corresponding DNS query: 254.203.17.44
Source: unknown	TCP traffic detected without corresponding DNS query: 163.138.31.255
Source: unknown	TCP traffic detected without corresponding DNS query: 204.211.151.168
Source: unknown	TCP traffic detected without corresponding DNS query: 46.84.226.86
Source: unknown	TCP traffic detected without corresponding DNS query: 82.73.227.91
Source: unknown	TCP traffic detected without corresponding DNS query: 109.62.224.105
Source: unknown	TCP traffic detected without corresponding DNS query: 217.116.246.176
Source: unknown	TCP traffic detected without corresponding DNS query: 212.139.142.36
Source: unknown	TCP traffic detected without corresponding DNS query: 245.8.37.2
Source: unknown	TCP traffic detected without corresponding DNS query: 249.52.26.203
Source: unknown	TCP traffic detected without corresponding DNS query: 187.217.81.167
Source: unknown	TCP traffic detected without corresponding DNS query: 76.117.182.151

Source: 5zKnElN0F2

String found in binary or memory: http://upx.sf.net

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 658, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 772, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 789, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 904, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1320, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1389, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1463, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1465, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1576, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1809, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1888, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1890, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1983, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 2048, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 2062, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6045, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6189, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6227, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6238, result: successful

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5zKnElN0F2, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 658, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 772, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 789, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 904, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1320, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1389, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1463, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1465, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1576, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1809, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1888, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1890, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 1983, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 2048, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 2062, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6045, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6189, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6227, result: successful
Source: /tmp/5zKnElN0F2 (PID: 6233)	SIGKILL sent: pid: 6238, result: successful

Source: classification engine

Classification label: mal68.spre.troj.evad.lin@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/6235/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1582/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2033/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2275/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/3088/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/6194/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1612/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1579/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1699/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1335/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1698/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2028/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1334/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1576/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2302/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/3236/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2025/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2146/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/910/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/6227/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/912/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/517/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/759/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2307/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/918/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1594/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2285/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2281/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1349/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1623/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/761/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1622/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/884/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1983/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2038/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1344/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1465/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1586/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1463/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2156/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/800/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/6238/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/801/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1629/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1627/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1900/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/3021/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/491/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2294/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2050/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1877/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/772/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1633/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1599/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1632/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/774/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1477/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/654/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/896/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1476/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1872/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2048/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/655/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1475/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2289/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/656/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/777/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/657/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4466/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/658/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4467/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4468/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4469/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4502/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/419/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/936/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1639/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1638/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2208/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2180/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1809/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1494/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1890/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2063/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2062/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1888/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1886/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/420/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1489/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/785/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1642/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/788/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/667/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/789/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/1648/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4495/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/6156/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4498/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2078/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2077/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2074/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2195/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/670/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/4490/exe
Source: /tmp/5zKnElN0F2 (PID: 6233)	File opened: /proc/2746/exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50380
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50382
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50388
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50392
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50400
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50414
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50420
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50426
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50430
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50434
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50436
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50448
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50456
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50468
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50474
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50478
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50488
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50494
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54188
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54206
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54212
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54218
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54222
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54228
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54244
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54250
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54258
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54262
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54306
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54332
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54352
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54408
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54436
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54460
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54474
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57156

Source: /tmp/5zKnElN0F2 (PID: 6225)

Queries kernel information via 'uname':

Source: 5zKnElN0F2, 6225.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000e3b31b61.00000000feb11032.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: 5zKnElN0F2, 6225.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6229.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000258270c1.0000000060d5cb64.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/5zKnElN0F2SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/5zKnElN0F2
Source: 5zKnElN0F2, 6229.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000e3b31b61.00000000feb11032.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: 5zKnElN0F2, 6225.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6229.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000e3b31b61.00000000feb11032.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000e3b31b61.00000000feb11032.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: 5zKnElN0F2, 6225.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6227.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6229.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6236.1.00000000258270c1.0000000060d5cb64.rw-.sdmp, 5zKnElN0F2, 6238.1.00000000258270c1.0000000060d5cb64.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Service Stop
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5zKnElN0F2	30%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	5zKnElN0F2	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
248.213.59.144	unknown	Reserved	unknown	unknown	false
251.130.127.226	unknown	Reserved	unknown	unknown	false
88.75.6.154	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
152.40.102.106	unknown	United States	53785	UNC-GREENSBOROUS	false
152.38.121.52	unknown	United States	81	NCRENUS	false
202.218.0.155	unknown	Japan	4694	IDCFIDCFrontierIncJP	false
85.84.124.101	unknown	Spain	12338	EUSKALTELES	false
181.242.239.177	unknown	Colombia	26611	COMCELSACO	false
166.17.196.160	unknown	United States	206	CSC-IGN-AMERUS	false
6.71.232.135	unknown	United States	1479	DNIC-ASBLK-01478-01479US	false
215.140.101.179	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
131.67.195.233	unknown	United States	138	DNIC-AS-00138US	false
216.47.114.137	unknown	United States	397187	NHN-GLOBALUS	false
175.44.191.61	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
57.95.244.181	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
182.181.115.112	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
147.36.189.252	unknown	United States	1559	DNIC-ASBLK-01550-01601US	false
16.163.191.244	unknown	United States	unknown	unknown	false
102.125.211.85	unknown	Sudan	36972	MTNSD	false
242.207.165.243	unknown	Reserved	unknown	unknown	false
220.146.79.49	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
59.204.179.210	unknown	China	2516	KDDIKDDICORPORATIONJP	false
176.67.118.196	unknown	Palestinian Territory Occupied	51407	MADA-ASPS	false
95.225.107.120	unknown	Italy	3269	ASN-IBSNAZIT	false
7.179.30.152	unknown	United States	3356	LEVEL3US	false
209.248.243.235	unknown	United States	7029	WINDSTREAMUS	false
21.7.113.27	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
17.3.87.47	unknown	United States	714	APPLE-ENGINEERINGUS	false
72.97.169.89	unknown	United States	22394	CELLCOUS	false
57.141.231.103	unknown	Belgium	2686	ATGS-MMD-ASUS	false
91.220.89.64	unknown	Austria	51767	JOHANNITER-UNFALL-HILFEAT	false
11.33.204.40	unknown	United States	3356	LEVEL3US	false
70.30.247.30	unknown	Canada	577	BACOMCA	false
98.19.126.216	unknown	United States	7029	WINDSTREAMUS	false
173.7.4.52	unknown	United States	10507	SPCSUS	false
64.123.49.206	unknown	United States	7018	ATT-INTERNET4US	false
71.161.139.71	unknown	United States	701	UUNETUS	false
221.27.57.106	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
57.252.101.85	unknown	Belgium	2686	ATGS-MMD-ASUS	false
221.239.50.117	unknown	China	17638	CHINATELECOM-TJ-AS-APASNforTIANJINProvincialNetofCT	false
60.26.69.53	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
67.116.193.63	unknown	United States	7018	ATT-INTERNET4US	false
160.184.16.245	unknown	South Africa	36903	MT-MPLSMA	false
251.16.126.103	unknown	Reserved	unknown	unknown	false
193.245.180.21	unknown	Belgium	3549	LVLT-3549US	false
8.188.45.192	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
125.143.119.66	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
152.31.80.240	unknown	United States	6559	NCIHUS	false
12.92.121.104	unknown	United States	7018	ATT-INTERNET4US	false
215.126.53.189	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
3.131.241.119	unknown	United States	16509	AMAZON-02US	false
191.92.238.155	unknown	Colombia	27831	ColombiaMovilCO	false
24.26.58.217	unknown	United States	10796	TWC-10796-MIDWESTUS	false
63.72.64.154	unknown	United States	701	UUNETUS	false
9.115.4.121	unknown	United States	3356	LEVEL3US	false
57.25.76.38	unknown	Belgium	2686	ATGS-MMD-ASUS	false
167.38.155.197	unknown	Canada	2665	CDAGOVNCA	false
163.151.39.36	unknown	United States	36161	WESTCHESTERCOUNTY-NYUS	false
82.224.120.126	unknown	France	12322	PROXADFR	false
53.72.59.103	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
171.130.11.59	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
215.91.18.89	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
25.254.25.135	unknown	United Kingdom	199055	UKCLOUD-ASGB	false
71.192.101.169	unknown	United States	7922	COMCAST-7922US	false
85.196.199.247	unknown	Estonia	61307	EE-AS-STVEE	false
91.250.181.214	unknown	Spain	12479	UNI2-ASES	false
215.55.124.124	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
109.218.10.173	unknown	France	3215	FranceTelecom-OrangeFR	false
100.188.108.206	unknown	United States	21928	T-MOBILE-AS21928US	false
181.66.216.170	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
18.107.223.195	unknown	United States	3	MIT-GATEWAYSUS	false
119.80.115.135	unknown	China	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
176.151.103.215	unknown	France	5410	BOUYGTEL-ISPFR	false
96.105.107.122	unknown	United States	7922	COMCAST-7922US	false
160.95.83.51	unknown	United States	217	UMN-SYSTEMUS	false
209.219.101.83	unknown	United States	7029	WINDSTREAMUS	false
159.197.33.178	unknown	United Kingdom	1273	CWVodafoneGroupPLCEU	false
141.238.20.159	unknown	United States	395015	SUNY-FREDONIAUS	false
100.63.227.120	unknown	United States	701	UUNETUS	false
163.226.55.140	unknown	Japan	24297	FCNUniversityPublicCorporationOsakaJP	false
189.166.254.5	unknown	Mexico	8151	UninetSAdeCVMX	false
130.247.179.246	unknown	United States	786	JANETJiscServicesLimitedGB	false
40.196.42.224	unknown	United States	4249	LILLY-ASUS	false
134.214.79.249	unknown	France	2060	FR-RENATERRENATER_ASNBLOCK1EU	false
244.140.81.28	unknown	Reserved	unknown	unknown	false
86.176.103.153	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
145.208.19.23	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
113.105.159.164	unknown	China	134763	CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN	false
105.91.86.94	unknown	Egypt	36992	ETISALAT-MISREG	false
12.141.232.110	unknown	United States	7018	ATT-INTERNET4US	false
31.172.254.55	unknown	United Kingdom	34920	SIMPLY-ROMFORDGB	false
76.144.187.104	unknown	United States	7922	COMCAST-7922US	false
4.0.229.194	unknown	United States	3356	LEVEL3US	false
48.35.173.172	unknown	United States	2686	ATGS-MMD-ASUS	false
170.178.42.2	unknown	United States	11685	HNBCOL-ASUS	false
61.207.245.49	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
195.189.238.150	unknown	Russian Federation	41654	INETRARU	false
1.5.141.51	unknown	Japan	4725	ODNSoftBankMobileCorpJP	false
186.224.149.70	unknown	Brazil	28580	CILNETComunicacaoeInformaticaLTDABR	false
255.150.73.125	unknown	Reserved	unknown	unknown	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.9643107024054975
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	5zKnElN0F2
File size:	39372
MD5:	d74bf4db8e2e43cbdc9c527ec15356b0
SHA1:	5de6b4e1a4b1f896ec6b3b6b473c8afb4d6f40a1
SHA256:	c0b3f4b9a9a57965c0429b5199e634012e223a4617a13a89dc5e2508085e5575
SHA512:	d262f391e46bf85eabadd74dfc74d78a2eb1fd25d32b45b8f9b6e2cbaeed624a1a32237897014bf26346bbbe27d71e0a3a5d7fad1d12dbcbfc86086b5fb22a1f
SSDEEP:	768:FdCZnhT/jFCaEQd4RC8he9+QZu3ckO7jTlZKhnHdM9i285BE4uVcqgw09M:O5hnFOQURhCZtB7j/oHdAijQ4u+qgw0W
TLSH:	F903F1BDD0B90DC1EB6BED6C8C77C2A82EE15F9AF2E6CDA4329C6F5149060395345D40
File Content Preview:	.ELF...........................4.........4. ...(....................................................................dt.Q................................UPX!..........E...E........W.......?.E.h4...@b..................d/%.....)..2x....F...NUu....]<fh.u...B.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x1086d8
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0x98c0	0x98c0	4.1310	0x5	R E	0x10000
LOAD	0xa6e0	0x1002a6e0	0x1002a6e0	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 21:17:30.366656065 CEST	42836	443	192.168.2.23	91.189.91.43
May 27, 2022 21:17:30.629111052 CEST	6556	23	192.168.2.23	249.169.15.40
May 27, 2022 21:17:30.629196882 CEST	6556	23	192.168.2.23	104.199.228.40
May 27, 2022 21:17:30.629240990 CEST	6556	23	192.168.2.23	20.56.144.190
May 27, 2022 21:17:30.629249096 CEST	6556	23	192.168.2.23	103.176.96.40
May 27, 2022 21:17:30.629260063 CEST	6556	23	192.168.2.23	159.38.110.212
May 27, 2022 21:17:30.629281044 CEST	6556	23	192.168.2.23	29.151.218.80
May 27, 2022 21:17:30.629290104 CEST	6556	23	192.168.2.23	192.5.233.79
May 27, 2022 21:17:30.629291058 CEST	6556	23	192.168.2.23	203.254.91.17
May 27, 2022 21:17:30.629333973 CEST	6556	23	192.168.2.23	197.68.217.22
May 27, 2022 21:17:30.629347086 CEST	6556	23	192.168.2.23	172.136.171.162
May 27, 2022 21:17:30.629360914 CEST	6556	23	192.168.2.23	84.169.157.116
May 27, 2022 21:17:30.629373074 CEST	6556	23	192.168.2.23	70.83.239.117
May 27, 2022 21:17:30.629398108 CEST	6556	23	192.168.2.23	189.56.57.181
May 27, 2022 21:17:30.629414082 CEST	6556	23	192.168.2.23	147.145.145.36
May 27, 2022 21:17:30.629421949 CEST	6556	23	192.168.2.23	124.80.238.203
May 27, 2022 21:17:30.629425049 CEST	6556	23	192.168.2.23	82.36.65.251
May 27, 2022 21:17:30.629445076 CEST	6556	23	192.168.2.23	201.154.224.153
May 27, 2022 21:17:30.629451036 CEST	6556	23	192.168.2.23	204.218.135.134
May 27, 2022 21:17:30.629452944 CEST	6556	23	192.168.2.23	126.67.223.153
May 27, 2022 21:17:30.629468918 CEST	6556	23	192.168.2.23	94.128.230.229
May 27, 2022 21:17:30.629489899 CEST	6556	23	192.168.2.23	249.110.130.18
May 27, 2022 21:17:30.629511118 CEST	6556	23	192.168.2.23	240.228.179.208
May 27, 2022 21:17:30.629512072 CEST	6556	23	192.168.2.23	16.182.131.136
May 27, 2022 21:17:30.629523993 CEST	6556	23	192.168.2.23	44.65.107.245
May 27, 2022 21:17:30.629534960 CEST	6556	23	192.168.2.23	75.106.47.86
May 27, 2022 21:17:30.629547119 CEST	6556	23	192.168.2.23	137.127.90.198
May 27, 2022 21:17:30.629569054 CEST	6556	23	192.168.2.23	108.135.179.99
May 27, 2022 21:17:30.629611015 CEST	6556	23	192.168.2.23	252.151.202.166
May 27, 2022 21:17:30.629616022 CEST	6556	23	192.168.2.23	142.27.4.128
May 27, 2022 21:17:30.629620075 CEST	6556	23	192.168.2.23	32.150.0.9
May 27, 2022 21:17:30.629627943 CEST	6556	23	192.168.2.23	178.182.189.196
May 27, 2022 21:17:30.629637957 CEST	6556	23	192.168.2.23	247.142.150.14
May 27, 2022 21:17:30.629642963 CEST	6556	23	192.168.2.23	95.80.50.226
May 27, 2022 21:17:30.629683971 CEST	6556	23	192.168.2.23	145.119.160.167
May 27, 2022 21:17:30.629695892 CEST	6556	23	192.168.2.23	126.53.28.195
May 27, 2022 21:17:30.629719973 CEST	6556	23	192.168.2.23	60.37.188.179
May 27, 2022 21:17:30.629725933 CEST	6556	23	192.168.2.23	53.12.116.174
May 27, 2022 21:17:30.629736900 CEST	6556	23	192.168.2.23	8.47.163.205
May 27, 2022 21:17:30.629740953 CEST	6556	23	192.168.2.23	151.232.166.68
May 27, 2022 21:17:30.629746914 CEST	6556	23	192.168.2.23	254.203.17.44
May 27, 2022 21:17:30.629781008 CEST	6556	23	192.168.2.23	163.138.31.255
May 27, 2022 21:17:30.629789114 CEST	6556	23	192.168.2.23	204.211.151.168
May 27, 2022 21:17:30.629805088 CEST	6556	23	192.168.2.23	46.84.226.86
May 27, 2022 21:17:30.629820108 CEST	6556	23	192.168.2.23	82.73.227.91
May 27, 2022 21:17:30.629832983 CEST	6556	23	192.168.2.23	109.62.224.105
May 27, 2022 21:17:30.629838943 CEST	6556	23	192.168.2.23	217.116.246.176
May 27, 2022 21:17:30.629841089 CEST	6556	23	192.168.2.23	212.139.142.36
May 27, 2022 21:17:30.629843950 CEST	6556	23	192.168.2.23	245.8.37.2
May 27, 2022 21:17:30.629857063 CEST	6556	23	192.168.2.23	252.210.205.85
May 27, 2022 21:17:30.629900932 CEST	6556	23	192.168.2.23	249.52.26.203
May 27, 2022 21:17:30.629905939 CEST	6556	23	192.168.2.23	187.217.81.167
May 27, 2022 21:17:30.629920959 CEST	6556	23	192.168.2.23	76.117.182.151
May 27, 2022 21:17:30.629930019 CEST	6556	23	192.168.2.23	88.212.159.97
May 27, 2022 21:17:30.629931927 CEST	6556	23	192.168.2.23	129.137.42.228
May 27, 2022 21:17:30.629933119 CEST	6556	23	192.168.2.23	16.158.157.65
May 27, 2022 21:17:30.629940033 CEST	6556	23	192.168.2.23	107.216.249.0
May 27, 2022 21:17:30.629951000 CEST	6556	23	192.168.2.23	119.40.70.174
May 27, 2022 21:17:30.629956007 CEST	6556	23	192.168.2.23	211.85.191.32
May 27, 2022 21:17:30.629976988 CEST	6556	23	192.168.2.23	120.194.72.39
May 27, 2022 21:17:30.629976988 CEST	6556	23	192.168.2.23	192.174.238.76
May 27, 2022 21:17:30.629987955 CEST	6556	23	192.168.2.23	8.76.40.7
May 27, 2022 21:17:30.630007982 CEST	6556	23	192.168.2.23	52.174.56.117
May 27, 2022 21:17:30.630013943 CEST	6556	23	192.168.2.23	55.121.115.12
May 27, 2022 21:17:30.630038977 CEST	6556	23	192.168.2.23	37.200.247.184
May 27, 2022 21:17:30.630048037 CEST	6556	23	192.168.2.23	135.58.77.194
May 27, 2022 21:17:30.630068064 CEST	6556	23	192.168.2.23	163.122.20.77
May 27, 2022 21:17:30.630070925 CEST	6556	23	192.168.2.23	206.238.108.62
May 27, 2022 21:17:30.630078077 CEST	6556	23	192.168.2.23	99.254.174.201
May 27, 2022 21:17:30.630089045 CEST	6556	23	192.168.2.23	142.99.153.246
May 27, 2022 21:17:30.630100012 CEST	6556	23	192.168.2.23	88.87.151.32
May 27, 2022 21:17:30.630105972 CEST	6556	23	192.168.2.23	87.115.45.179
May 27, 2022 21:17:30.630109072 CEST	6556	23	192.168.2.23	65.48.6.131
May 27, 2022 21:17:30.630125999 CEST	6556	23	192.168.2.23	71.120.238.122
May 27, 2022 21:17:30.630131006 CEST	6556	23	192.168.2.23	97.85.157.217
May 27, 2022 21:17:30.630139112 CEST	6556	23	192.168.2.23	243.87.59.254
May 27, 2022 21:17:30.630155087 CEST	6556	23	192.168.2.23	201.222.18.219
May 27, 2022 21:17:30.630156994 CEST	6556	23	192.168.2.23	185.62.130.249
May 27, 2022 21:17:30.630161047 CEST	6556	23	192.168.2.23	181.68.156.195
May 27, 2022 21:17:30.630167007 CEST	6556	23	192.168.2.23	10.75.188.229
May 27, 2022 21:17:30.630175114 CEST	6556	23	192.168.2.23	158.242.96.240
May 27, 2022 21:17:30.630187035 CEST	6556	23	192.168.2.23	188.122.174.85
May 27, 2022 21:17:30.630198002 CEST	6556	23	192.168.2.23	141.30.129.227
May 27, 2022 21:17:30.630218983 CEST	6556	23	192.168.2.23	221.246.44.42
May 27, 2022 21:17:30.630222082 CEST	6556	23	192.168.2.23	63.193.103.194
May 27, 2022 21:17:30.630242109 CEST	6556	23	192.168.2.23	191.41.246.11
May 27, 2022 21:17:30.630245924 CEST	6556	23	192.168.2.23	185.187.69.16
May 27, 2022 21:17:30.630254030 CEST	6556	23	192.168.2.23	98.177.3.225
May 27, 2022 21:17:30.630260944 CEST	6556	23	192.168.2.23	53.215.171.143
May 27, 2022 21:17:30.630274057 CEST	6556	23	192.168.2.23	147.198.19.62
May 27, 2022 21:17:30.630280972 CEST	6556	23	192.168.2.23	206.50.72.44
May 27, 2022 21:17:30.630295038 CEST	6556	23	192.168.2.23	172.156.237.113
May 27, 2022 21:17:30.630299091 CEST	6556	23	192.168.2.23	24.118.115.187
May 27, 2022 21:17:30.630306959 CEST	6556	23	192.168.2.23	89.157.112.32
May 27, 2022 21:17:30.630317926 CEST	6556	23	192.168.2.23	25.32.0.209
May 27, 2022 21:17:30.630330086 CEST	6556	23	192.168.2.23	54.187.56.99
May 27, 2022 21:17:30.630357027 CEST	6556	23	192.168.2.23	53.226.188.88
May 27, 2022 21:17:30.630364895 CEST	6556	23	192.168.2.23	252.202.111.10
May 27, 2022 21:17:30.630376101 CEST	6556	23	192.168.2.23	18.209.39.93
May 27, 2022 21:17:30.630383968 CEST	6556	23	192.168.2.23	56.73.4.196

System Behavior

Analysis Process: 5zKnElN0F2 PID: 6225, Parent PID: 6126

General

Start time:	21:17:29
Start date:	27/05/2022
Path:	/tmp/5zKnElN0F2
Arguments:	/tmp/5zKnElN0F2
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: 5zKnElN0F2 PID: 6227, Parent PID: 6225

General

Start time:	21:17:29
Start date:	27/05/2022
Path:	/tmp/5zKnElN0F2
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: 5zKnElN0F2 PID: 6229, Parent PID: 6225

General

Start time:	21:17:29
Start date:	27/05/2022
Path:	/tmp/5zKnElN0F2
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: 5zKnElN0F2 PID: 6233, Parent PID: 6229

General

Start time:	21:17:29
Start date:	27/05/2022
Path:	/tmp/5zKnElN0F2
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: 5zKnElN0F2 PID: 6236, Parent PID: 6229

General

Start time:	21:17:29
Start date:	27/05/2022
Path:	/tmp/5zKnElN0F2
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: 5zKnElN0F2 PID: 6238, Parent PID: 6236

General

Start time:	21:17:29
Start date:	27/05/2022
Path:	/tmp/5zKnElN0F2
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 5zKnElN0F2

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: 5zKnElN0F2 PID: 6225, Parent PID: 6126

General

Analysis Process: 5zKnElN0F2 PID: 6227, Parent PID: 6225

General

Analysis Process: 5zKnElN0F2 PID: 6229, Parent PID: 6225

General

Analysis Process: 5zKnElN0F2 PID: 6233, Parent PID: 6229

General

Analysis Process: 5zKnElN0F2 PID: 6236, Parent PID: 6229

General

Analysis Process: 5zKnElN0F2 PID: 6238, Parent PID: 6236

General

Linux Analysis Report
5zKnElN0F2