Source: STa4J3TGC8, type: SAMPLE |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: STa4J3TGC8, type: SAMPLE |
Matched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant |
Source: 6233.1.00007f3d50042000.00007f3d50047000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6236.1.00007f3d50042000.00007f3d50047000.rw-.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6236.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: 6233.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: __gnu_unwind_execute |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: asus_scanner_init |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: asus_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: asus_scanner_rawpkt |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: comtrend_scanner |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: comtrend_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: comtrend_scanner_rawpkt |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlink_scanner.c |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlinkscanner_fake_time |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlinkscanner_rsck |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlinkscanner_scanner_init |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlinkscanner_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlinkscanner_scanner_rawpkt |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: dlinkscanner_setup_connection |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon443_scanner |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon443_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon443_scanner_rawpkt |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon80_scanner |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon80_scanner.c |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon80_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: gpon80_scanner_rawpkt |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnap_scanner.c |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnapscanner_fake_time |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnapscanner_rsck |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnapscanner_scanner_init |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnapscanner_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnapscanner_scanner_rawpkt |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: hnapscanner_setup_connection |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: huawei_scanner_pid |
Source: STa4J3TGC8 |
ELF static info symbol of initial sample: huawei_scanner_rawpkt |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1582/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2033/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2275/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/3088/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6191/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6192/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1612/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1579/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1699/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1335/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1698/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2028/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1334/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1576/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2302/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/3236/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2025/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2146/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/910/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/912/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/517/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/759/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2307/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/918/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6241/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6242/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6244/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/4464/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/4465/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6246/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1594/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2285/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2281/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1349/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1623/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/761/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1622/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/884/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1983/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2038/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1344/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1465/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1586/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1463/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2156/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/800/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/801/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6237/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1629/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1627/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1900/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6251/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6254/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6256/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6255/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6258/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6257/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/3021/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/491/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2294/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2050/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1877/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/772/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1633/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1599/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1632/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/774/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1477/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/654/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/896/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1476/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1872/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2048/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/655/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1475/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2289/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/656/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/777/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/657/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/4466/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6249/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/658/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/4467/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/4500/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6248/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/419/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/936/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1639/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1638/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2208/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2180/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6267/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/6266/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1809/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1494/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1890/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2063/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/2062/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1888/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1886/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/420/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1489/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/785/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/1642/exe |
Jump to behavior |
Source: /tmp/STa4J3TGC8 (PID: 6235) |
File opened: /proc/788/exe |
Jump to behavior |
Source: STa4J3TGC8, 6233.1.000055f238674000.000055f2387c6000.rw-.sdmp, STa4J3TGC8, 6236.1.000055f238674000.000055f2387a2000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: STa4J3TGC8, 6233.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp, STa4J3TGC8, 6236.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/STa4J3TGC8SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/STa4J3TGC8 |
Source: STa4J3TGC8, 6233.1.000055f238674000.000055f2387c6000.rw-.sdmp, STa4J3TGC8, 6236.1.000055f238674000.000055f2387a2000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: STa4J3TGC8, 6233.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp, STa4J3TGC8, 6236.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |