Linux Analysis Report
loligang.x86

Overview

General Information

Sample Name: loligang.x86
Analysis ID: 651260
MD5: 626c4dc99eea6d5e4df179086edc8a98
SHA1: 51079f907260930c3b991286ad11abb61d76b91d
SHA256: 68cb74c5325f29a74eae212973ea710b3a885a3866853e21b3bdaf9e262b0c23
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Enumerates processes within the "proc" file system
Yara signature match
Sample tries to kill a process (SIGKILL)
Sample has stripped symbol table

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: loligang.x86 Virustotal: Detection: 61% Perma Link
Machine Learning detection for sample
Source: loligang.x86 Joe Sandbox ML: detected

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: loligang.x86, type: SAMPLE Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Yara signature match
Source: loligang.x86, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: loligang.x86, type: SAMPLE Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6226.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6227.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6244.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6222.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6243.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6224.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Sample tries to kill a process (SIGKILL)
Source: /tmp/loligang.x86 (PID: 6223) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) SIGKILL sent: pid: 6226, result: successful Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/loligang.x86 (PID: 6226) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/loligang.x86 (PID: 6244) SIGKILL sent: pid: 6243, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal68.troj.linX86@0/0@0/0
Enumerates processes within the "proc" file system
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2033/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1582/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2275/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1612/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1579/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1699/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1335/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1698/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2028/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1334/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1576/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2302/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/3236/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2025/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2146/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/910/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/6226/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/912/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/912/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/912/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/759/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/759/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/759/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/517/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2307/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/918/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/918/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/918/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1594/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2285/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2281/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1349/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1623/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/761/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/761/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/761/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1622/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/884/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/884/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/884/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1983/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2038/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1586/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1465/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1344/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1860/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1463/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2156/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/800/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/800/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/800/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/801/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/801/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/801/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1629/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1627/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1900/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/4470/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/491/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/491/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/491/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2294/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2050/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1877/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/772/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/772/fd Jump to behavior
Source: /tmp/loligang.x86 (PID: 6223) File opened: /proc/772/exe Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: loligang.x86, type: SAMPLE
Source: Yara match File source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: loligang.x86, type: SAMPLE
Source: Yara match File source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY

No Screenshots

No contacted IP infos