Source: LxfGfOr9r6 |
Virustotal: Detection: 50% |
Perma Link |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312 |
Source: /tmp/LxfGfOr9r6 (PID: 6228) |
Socket: 127.0.0.1::1312 |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
Socket: 0.0.0.0::0 |
Jump to behavior |
Source: unknown |
DNS traffic detected: queries for: arcticboatz.cz |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 182.212.162.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 170.70.176.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.208.52.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 149.122.148.189 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.237.15.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 18.90.116.15 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 125.255.186.227 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 69.237.77.192 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 220.254.218.102 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.153.238.131 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 57.12.238.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 106.81.138.170 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.192.89.15 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 179.142.233.52 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 99.33.131.140 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.24.228.208 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 66.153.92.242 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.81.234.178 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 112.30.58.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 114.40.120.20 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.174.97.188 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 19.232.112.198 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 113.25.4.238 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 14.7.53.190 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.16.231.136 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 86.136.66.37 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.136.184.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.128.142.230 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.166.196.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.108.89.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 169.63.92.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.190.206.254 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 183.122.155.210 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.167.89.128 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.207.188.37 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.158.142.250 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 167.139.113.59 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 74.142.140.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 249.93.172.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.106.136.12 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.29.222.19 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 78.117.198.49 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 77.37.118.145 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 179.133.123.111 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 203.56.127.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.88.253.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.133.14.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 251.217.142.17 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 96.72.106.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 241.165.134.90 |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
SIGKILL sent: pid: 936, result: successful |
Jump to behavior |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox AK1K2 |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: Initial sample |
String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: >>retrieve/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: classification engine |
Classification label: mal64.troj.lin@0/0@48/0 |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/491/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/793/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/772/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/796/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/774/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/797/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/777/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/799/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/658/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/912/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/759/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/936/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/918/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/1/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/761/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/785/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/884/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/720/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/721/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/788/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/789/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/800/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/801/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/847/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6239) |
File opened: /proc/904/fd |
Jump to behavior |
Source: /tmp/LxfGfOr9r6 (PID: 6228) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: LxfGfOr9r6, 6228.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6328.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6240.1.00005576c4867000.00005576c48ec000.rw-.sdmp |
Binary or memory string: vU!/etc/qemu-binfmt/m68k |
Source: LxfGfOr9r6, 6228.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6328.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6240.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-m68k |
Source: LxfGfOr9r6, 6228.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6328.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6240.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/LxfGfOr9r6SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/LxfGfOr9r6 |
Source: LxfGfOr9r6, 6228.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6328.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6240.1.00005576c4867000.00005576c48ec000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/m68k |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: LxfGfOr9r6, type: SAMPLE |
Source: Yara match |
File source: 6240.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6228.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6328.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: LxfGfOr9r6, type: SAMPLE |
Source: Yara match |
File source: 6240.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6228.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6328.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY |