Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
loligang.arm

Overview

General Information

Sample Name:loligang.arm
Analysis ID:651255
MD5:400fb602a83456d046d02ca8a746bb27
SHA1:58ae954f8e0f72c13920faf69379652e6e61519c
SHA256:e7ebfd53202270d83db456a781899c4ac41b8a11333ccb7d6e3454f3d6409e08
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Yara signature match
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:651255
Start date and time: 23/06/202217:51:062022-06-23 17:51:06 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:loligang.arm
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal80.troj.linARM@0/0@0/0
  • Report size exceeded maximum capacity and may have missing network information.
Command:/tmp/loligang.arm
PID:6233
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
loligang.armSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0x10c48:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x10cb8:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x10d28:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x10d98:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x10e08:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x11078:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x110cc:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x11120:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x11174:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x111c8:$xo1: oMXKNNC\x0D\x17\x0C\x12
loligang.armMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
  • 0x10624:$x1: POST /cdn-cgi/
  • 0x10ac8:$s1: LCOGQGPTGP
loligang.armMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
  • 0x10624:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
loligang.armJoeSecurity_Mirai_5Yara detected MiraiJoe Security
    loligang.armJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security
        SourceRuleDescriptionAuthorStrings
        6233.1.00000000cc577198.00000000dadd8b75.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
        • 0x78:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0xcc:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x120:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x174:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x1c8:$xo1: oMXKNNC\x0D\x17\x0C\x12
        6236.1.00000000dadd8b75.0000000004e52adb.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
        • 0x414:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x488:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x4fc:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x570:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x5e4:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x864:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x8bc:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x914:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x96c:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x9c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
        6242.1.00000000cc577198.00000000dadd8b75.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
        • 0x78:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0xcc:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x120:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x174:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x1c8:$xo1: oMXKNNC\x0D\x17\x0C\x12
        6236.1.000000008e4bd100.000000001113544c.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
        • 0x10c48:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x10cb8:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x10d28:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x10d98:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x10e08:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x11078:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x110cc:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x11120:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x11174:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x111c8:$xo1: oMXKNNC\x0D\x17\x0C\x12
        6236.1.000000008e4bd100.000000001113544c.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
        • 0x10624:$x1: POST /cdn-cgi/
        • 0x10ac8:$s1: LCOGQGPTGP
        Click to see the 23 entries
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: loligang.armAvira: detected
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:45602 -> 139.59.109.181:1791
        Source: /tmp/loligang.arm (PID: 6235)Socket: 0.0.0.0::23Jump to behavior
        Source: /tmp/loligang.arm (PID: 6235)Socket: 0.0.0.0::0Jump to behavior
        Source: /tmp/loligang.arm (PID: 6235)Socket: 0.0.0.0::80Jump to behavior
        Source: /tmp/loligang.arm (PID: 6235)Socket: 0.0.0.0::81Jump to behavior
        Source: /tmp/loligang.arm (PID: 6235)Socket: 0.0.0.0::8443Jump to behavior
        Source: /tmp/loligang.arm (PID: 6235)Socket: 0.0.0.0::9009Jump to behavior
        Source: /tmp/loligang.arm (PID: 6241)Socket: 0.0.0.0::0Jump to behavior
        Source: /tmp/loligang.arm (PID: 6241)Socket: 0.0.0.0::80Jump to behavior
        Source: /tmp/loligang.arm (PID: 6241)Socket: 0.0.0.0::81Jump to behavior
        Source: /tmp/loligang.arm (PID: 6241)Socket: 0.0.0.0::8443Jump to behavior
        Source: /tmp/loligang.arm (PID: 6241)Socket: 0.0.0.0::9009Jump to behavior
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 139.59.109.181
        Source: unknownTCP traffic detected without corresponding DNS query: 157.176.248.149
        Source: unknownTCP traffic detected without corresponding DNS query: 65.102.182.244
        Source: unknownTCP traffic detected without corresponding DNS query: 206.156.228.248
        Source: unknownTCP traffic detected without corresponding DNS query: 126.211.67.201
        Source: unknownTCP traffic detected without corresponding DNS query: 254.57.127.237
        Source: unknownTCP traffic detected without corresponding DNS query: 42.174.88.103
        Source: unknownTCP traffic detected without corresponding DNS query: 17.146.132.160
        Source: unknownTCP traffic detected without corresponding DNS query: 100.174.238.80
        Source: unknownTCP traffic detected without corresponding DNS query: 171.170.104.99
        Source: unknownTCP traffic detected without corresponding DNS query: 153.132.33.251
        Source: unknownTCP traffic detected without corresponding DNS query: 166.198.87.72
        Source: unknownTCP traffic detected without corresponding DNS query: 113.101.226.169
        Source: unknownTCP traffic detected without corresponding DNS query: 126.36.211.173
        Source: unknownTCP traffic detected without corresponding DNS query: 71.11.133.40
        Source: unknownTCP traffic detected without corresponding DNS query: 111.143.191.208
        Source: unknownTCP traffic detected without corresponding DNS query: 168.6.223.175
        Source: unknownTCP traffic detected without corresponding DNS query: 173.179.27.91
        Source: unknownTCP traffic detected without corresponding DNS query: 176.22.197.103
        Source: unknownTCP traffic detected without corresponding DNS query: 161.191.55.222
        Source: unknownTCP traffic detected without corresponding DNS query: 48.242.216.110
        Source: unknownTCP traffic detected without corresponding DNS query: 248.107.117.154
        Source: unknownTCP traffic detected without corresponding DNS query: 241.73.251.30
        Source: unknownTCP traffic detected without corresponding DNS query: 125.49.203.131
        Source: unknownTCP traffic detected without corresponding DNS query: 44.98.137.68
        Source: unknownTCP traffic detected without corresponding DNS query: 99.25.118.236
        Source: unknownTCP traffic detected without corresponding DNS query: 83.94.230.74
        Source: unknownTCP traffic detected without corresponding DNS query: 125.245.3.142
        Source: unknownTCP traffic detected without corresponding DNS query: 84.74.70.223
        Source: unknownTCP traffic detected without corresponding DNS query: 107.227.50.108
        Source: unknownTCP traffic detected without corresponding DNS query: 42.228.115.114
        Source: unknownTCP traffic detected without corresponding DNS query: 181.61.64.46
        Source: unknownTCP traffic detected without corresponding DNS query: 142.34.241.12
        Source: unknownTCP traffic detected without corresponding DNS query: 109.25.119.113
        Source: unknownTCP traffic detected without corresponding DNS query: 123.35.15.99
        Source: unknownTCP traffic detected without corresponding DNS query: 191.89.166.162
        Source: unknownTCP traffic detected without corresponding DNS query: 222.209.236.207
        Source: unknownTCP traffic detected without corresponding DNS query: 19.238.218.197
        Source: unknownTCP traffic detected without corresponding DNS query: 249.75.226.101
        Source: unknownTCP traffic detected without corresponding DNS query: 5.232.20.162
        Source: unknownTCP traffic detected without corresponding DNS query: 153.57.217.26
        Source: unknownTCP traffic detected without corresponding DNS query: 240.3.234.53
        Source: unknownTCP traffic detected without corresponding DNS query: 79.88.130.24
        Source: unknownTCP traffic detected without corresponding DNS query: 221.205.32.209
        Source: unknownTCP traffic detected without corresponding DNS query: 255.144.182.174
        Source: unknownTCP traffic detected without corresponding DNS query: 92.120.125.247
        Source: unknownTCP traffic detected without corresponding DNS query: 155.42.225.72
        Source: unknownTCP traffic detected without corresponding DNS query: 27.25.66.84
        Source: unknownTCP traffic detected without corresponding DNS query: 195.188.103.17
        Source: unknownTCP traffic detected without corresponding DNS query: 23.14.91.242

        System Summary

        barindex
        Source: loligang.arm, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: loligang.arm, type: SAMPLEMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: loligang.arm, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: loligang.arm, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: loligang.arm, type: SAMPLEMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6233.1.00000000cc577198.00000000dadd8b75.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6236.1.00000000dadd8b75.0000000004e52adb.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6242.1.00000000cc577198.00000000dadd8b75.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6233.1.00000000dadd8b75.0000000004e52adb.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6235.1.00000000dadd8b75.0000000004e52adb.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6235.1.00000000cc577198.00000000dadd8b75.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6236.1.00000000cc577198.00000000dadd8b75.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6242.1.00000000dadd8b75.0000000004e52adb.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
        Source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: /tmp/loligang.arm (PID: 6235)SIGKILL sent: pid: 936, result: successfulJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)SIGKILL sent: pid: 936, result: successfulJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)SIGKILL sent: pid: 6235, result: successfulJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)SIGKILL sent: pid: 759, result: successfulJump to behavior
        Source: classification engineClassification label: mal80.troj.linARM@0/0@0/0
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/6235/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2033/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2033/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1582/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1582/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2275/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/6191/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/6190/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1612/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1612/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1579/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1579/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1699/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1699/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1335/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1335/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1698/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1698/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2028/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2028/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1334/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1334/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1576/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1576/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2302/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/3236/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2025/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2025/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2146/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/910/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/912/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/912/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/912/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/759/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/759/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/759/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/517/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2307/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/918/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/918/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/918/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1594/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1594/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2285/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2281/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1349/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1349/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1623/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1623/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/761/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/761/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/761/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1622/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1622/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/884/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/884/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/884/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1983/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1983/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2038/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2038/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1586/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1586/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1465/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1465/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1344/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1344/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1860/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1860/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1463/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1463/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2156/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/800/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/800/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/800/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/801/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/801/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/801/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1629/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1629/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1627/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1627/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1900/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1900/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/491/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/491/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/491/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2294/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2050/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/2050/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1877/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1877/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/772/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/772/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/772/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1633/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1633/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1599/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1599/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1632/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1632/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1477/fdJump to behavior
        Source: /tmp/loligang.arm (PID: 6241)File opened: /proc/1477/exeJump to behavior
        Source: /tmp/loligang.arm (PID: 6233)Queries kernel information via 'uname': Jump to behavior
        Source: loligang.arm, 6233.1.000000006e500768.00000000c775d82a.rw-.sdmp, loligang.arm, 6235.1.000000006e500768.00000000c775d82a.rw-.sdmp, loligang.arm, 6236.1.000000006e500768.00000000c775d82a.rw-.sdmp, loligang.arm, 6242.1.000000006e500768.00000000c775d82a.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
        Source: loligang.arm, 6233.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmp, loligang.arm, 6235.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmp, loligang.arm, 6236.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmp, loligang.arm, 6242.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/loligang.armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/loligang.arm
        Source: loligang.arm, 6233.1.000000006e500768.00000000c775d82a.rw-.sdmp, loligang.arm, 6235.1.000000006e500768.00000000c775d82a.rw-.sdmp, loligang.arm, 6236.1.000000006e500768.00000000c775d82a.rw-.sdmp, loligang.arm, 6242.1.000000006e500768.00000000c775d82a.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: loligang.arm, 6233.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmp, loligang.arm, 6235.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmp, loligang.arm, 6236.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmp, loligang.arm, 6242.1.0000000034c2cfa5.0000000016bd506a.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: loligang.arm, type: SAMPLE
        Source: Yara matchFile source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: loligang.arm, type: SAMPLE
        Source: Yara matchFile source: 6236.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6242.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6233.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6235.1.000000008e4bd100.000000001113544c.r-x.sdmp, type: MEMORY
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Standard Port
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet