Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
loligang.x86

Overview

General Information

Sample Name:loligang.x86
Analysis ID:651260
MD5:626c4dc99eea6d5e4df179086edc8a98
SHA1:51079f907260930c3b991286ad11abb61d76b91d
SHA256:68cb74c5325f29a74eae212973ea710b3a885a3866853e21b3bdaf9e262b0c23
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Enumerates processes within the "proc" file system
Yara signature match
Sample tries to kill a process (SIGKILL)
Sample has stripped symbol table

Classification

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:651260
Start date and time: 23/06/202217:59:272022-06-23 17:59:27 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 26s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:loligang.x86
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal68.troj.linX86@0/0@0/0
Command:/tmp/loligang.x86
PID:6222
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
loligang.x86SUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0xefc4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf034:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf0a4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf114:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf184:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf3f4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf448:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf49c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf4f0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0xf544:$xo1: oMXKNNC\x0D\x17\x0C\x12
loligang.x86Mirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
  • 0xe9e0:$x1: POST /cdn-cgi/
  • 0xee2b:$s1: LCOGQGPTGP
loligang.x86JoeSecurity_Mirai_9Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6226.1.00000000622d5c71.00000000a6a40188.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6227.1.00000000622d5c71.00000000a6a40188.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6244.1.00000000622d5c71.00000000a6a40188.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6222.1.00000000622d5c71.00000000a6a40188.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6243.1.00000000622d5c71.00000000a6a40188.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x598:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x610:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x688:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x700:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x778:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa08:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa60:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xab8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb10:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb68:$xo1: oMXKNNC\x0D\x17\x0C\x12
    Click to see the 19 entries
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: loligang.x86Virustotal: Detection: 61%Perma Link
    Source: loligang.x86Joe Sandbox ML: detected

    System Summary

    barindex
    Source: loligang.x86, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: loligang.x86, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: loligang.x86, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 6226.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6227.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6244.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6222.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6243.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 6224.1.00000000622d5c71.00000000a6a40188.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
    Source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: /tmp/loligang.x86 (PID: 6223)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)SIGKILL sent: pid: 6226, result: successfulJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)SIGKILL sent: pid: 759, result: successfulJump to behavior
    Source: /tmp/loligang.x86 (PID: 6226)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/loligang.x86 (PID: 6244)SIGKILL sent: pid: 6243, result: successfulJump to behavior
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: classification engineClassification label: mal68.troj.linX86@0/0@0/0
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2033/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2033/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1582/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1582/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2275/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2275/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/3088/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1612/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1612/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1579/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1579/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1699/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1699/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1335/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1335/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1698/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1698/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2028/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2028/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1334/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1334/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1576/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1576/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2302/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2302/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/3236/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/3236/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2025/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2025/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2146/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2146/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/910/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/6226/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/912/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/912/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/912/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/759/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/759/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/759/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/517/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2307/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2307/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/918/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/918/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/918/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1594/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1594/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2285/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2285/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2281/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2281/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1349/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1349/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1623/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1623/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/761/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/761/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/761/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1622/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1622/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/884/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/884/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/884/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1983/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1983/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2038/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2038/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1586/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1586/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1465/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1465/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1344/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1344/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1860/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1463/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1463/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2156/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2156/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/800/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/800/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/800/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/801/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/801/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/801/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1629/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1629/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1627/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1627/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1900/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1900/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/4470/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/3021/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/491/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/491/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/491/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2294/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2294/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2050/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/2050/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1877/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/1877/exeJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/772/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/772/fdJump to behavior
    Source: /tmp/loligang.x86 (PID: 6223)File opened: /proc/772/exeJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: loligang.x86, type: SAMPLE
    Source: Yara matchFile source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: loligang.x86, type: SAMPLE
    Source: Yara matchFile source: 6244.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6224.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6227.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6243.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6226.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6222.1.000000001a887bdc.00000000328ec990.r-x.sdmp, type: MEMORY
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
    OS Credential Dumping
    System Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 651260 Sample: loligang.x86 Startdate: 23/06/2022 Architecture: LINUX Score: 68 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Mirai 2->30 32 Machine Learning detection for sample 2->32 8 loligang.x86 2->8         started        process3 process4 10 loligang.x86 8->10         started        12 loligang.x86 8->12         started        14 loligang.x86 8->14         started        process5 16 loligang.x86 10->16         started        18 loligang.x86 10->18         started        20 loligang.x86 10->20         started        22 loligang.x86 10->22         started        process6 24 loligang.x86 16->24         started       
    SourceDetectionScannerLabelLink
    loligang.x8661%VirustotalBrowse
    loligang.x86100%Joe Sandbox ML
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    No contacted IP infos
    No context
    No context
    No context
    No context
    No context
    No created / dropped files found
    File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.408338044451668
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:loligang.x86
    File size:66136
    MD5:626c4dc99eea6d5e4df179086edc8a98
    SHA1:51079f907260930c3b991286ad11abb61d76b91d
    SHA256:68cb74c5325f29a74eae212973ea710b3a885a3866853e21b3bdaf9e262b0c23
    SHA512:bc203a473c19b41ea9f0a2e0487abd1fa853fd89b7bb7ec612014fd1f0e0787786416e31699244e5d22b3edd659bade57022b9433029689605bb6a740b46b676
    SSDEEP:1536:IoRC9170vwHbQXZ5+qXDEuXi90dSW7V/DjObeFt6PuQ4ZH:PC917iwHbQXZ5+qXA594SWZ/XObeb6G7
    TLSH:AB5329C8A593F8F5DC140978307ABB66AEB3F13B7135E99BC3D82927A841702D10669D
    File Content Preview:.ELF....................d...4...........4. ...(..................... ... ...........................................Q.td............................U..S.......w....h........[]...$.............U......=.....t..5....$......$.......u........t....h {..........

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:Intel 80386
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x8048164
    Flags:0x0
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:65736
    Section Header Size:40
    Number of Section Headers:10
    Header String Table Index:9
    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x80480940x940x1c0x00x6AX001
    .textPROGBITS0x80480b00xb00xe9060x00x6AX0016
    .finiPROGBITS0x80569b60xe9b60x170x00x6AX001
    .rodataPROGBITS0x80569e00xe9e00x11400x00x2A0032
    .ctorsPROGBITS0x80580000x100000x80x00x3WA004
    .dtorsPROGBITS0x80580080x100080x80x00x3WA004
    .dataPROGBITS0x80580200x100200x680x00x3WA004
    .bssNOBITS0x80580a00x100880x8600x00x3WA0032
    .shstrtabSTRTAB0x00x100880x3e0x00x0001
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80480000x80480000xfb200xfb206.50000x5R E0x1000.init .text .fini .rodata
    LOAD0x100000x80580000x80580000x880x9001.75700x6RW 0x1000.ctors .dtors .data .bss
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4
    No network behavior found

    System Behavior