Source: vmDskLsKEA, type: SAMPLE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: vmDskLsKEA, type: SAMPLE |
Matched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant |
Source: 6225.1.00007f99dc042000.00007f99dc047000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6228.1.00007f99dc042000.00007f99dc047000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6228.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6225.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: __gnu_unwind_execute |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: asus_scanner_init |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: asus_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: asus_scanner_rawpkt |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: comtrend_scanner |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: comtrend_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: comtrend_scanner_rawpkt |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlink_scanner.c |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlinkscanner_fake_time |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlinkscanner_rsck |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlinkscanner_scanner_init |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlinkscanner_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlinkscanner_scanner_rawpkt |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: dlinkscanner_setup_connection |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon443_scanner |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon443_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon443_scanner_rawpkt |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon80_scanner |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon80_scanner.c |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon80_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: gpon80_scanner_rawpkt |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnap_scanner.c |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnapscanner_fake_time |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnapscanner_rsck |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnapscanner_scanner_init |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnapscanner_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnapscanner_scanner_rawpkt |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: hnapscanner_setup_connection |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: huawei_scanner_pid |
Source: vmDskLsKEA |
ELF static info symbol of initial sample: huawei_scanner_rawpkt |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6236/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6235/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1582/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2033/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2275/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/3088/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6191/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6190/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1612/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1579/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1699/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1335/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1698/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2028/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1334/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1576/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2302/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/3236/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2025/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2146/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/910/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/912/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6229/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/517/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/759/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2307/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/918/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6240/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6243/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6244/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6247/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6246/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1594/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2285/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2281/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1349/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1623/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/761/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1622/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/884/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1983/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2038/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1344/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1465/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1586/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1463/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2156/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/800/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6238/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/801/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1629/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1627/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1900/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6252/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6253/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6258/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6257/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/3021/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/491/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2294/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2050/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1877/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/772/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1633/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1599/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1632/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/774/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1477/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/654/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/896/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1476/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1872/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2048/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/655/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1475/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2289/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/656/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/777/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/657/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/4466/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/658/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/4467/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6248/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/4468/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/4469/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/4502/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/419/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/936/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1639/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1638/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2208/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2180/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1809/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1494/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1890/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2063/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/2062/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6261/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/6260/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1888/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1886/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/420/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1489/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/785/exe |
Jump to behavior |
Source: /tmp/vmDskLsKEA (PID: 6227) |
File opened: /proc/1642/exe |
Jump to behavior |
Source: vmDskLsKEA, 6225.1.00005564dbe5e000.00005564dbfb0000.rw-.sdmp, vmDskLsKEA, 6228.1.00005564dbe5e000.00005564dbf8c000.rw-.sdmp |
Binary or memory string: dU!/etc/qemu-binfmt/arm |
Source: vmDskLsKEA, 6225.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp, vmDskLsKEA, 6228.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp |
Binary or memory string: m9x86_64/usr/bin/qemu-arm/tmp/vmDskLsKEASUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/vmDskLsKEA |
Source: vmDskLsKEA, 6225.1.00005564dbe5e000.00005564dbfb0000.rw-.sdmp, vmDskLsKEA, 6228.1.00005564dbe5e000.00005564dbf8c000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: vmDskLsKEA, 6225.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp, vmDskLsKEA, 6228.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |