Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
SSBFSIj3wk

Overview

General Information

Sample Name:SSBFSIj3wk
Analysis ID:679620
MD5:1beaa289a2e5c583a8ade22549a87e45
SHA1:7dcf5380b1d43e2fd3d15e32373edd635427229c
SHA256:63992f68aa03ce566fb5d9cbab680a1c3e04ef381081b51f219461da771cba62
Tags:32elfintelmirai
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Yara signature match
Sample has stripped symbol table
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample tries to kill a process (SIGKILL)
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:679620
Start date and time: 06/08/202206:47:132022-08-06 06:47:13 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 30s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SSBFSIj3wk
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal68.troj.lin@0/0@43/0
  • Report size exceeded maximum capacity and may have missing network information.
Command:/tmp/SSBFSIj3wk
PID:6228
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:
  • system is lnxubuntu20
  • SSBFSIj3wk (PID: 6228, Parent: 6123, MD5: 1beaa289a2e5c583a8ade22549a87e45) Arguments: /tmp/SSBFSIj3wk
  • cleanup
SourceRuleDescriptionAuthorStrings
SSBFSIj3wkJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SSBFSIj3wkLinux_Trojan_Mirai_b14f4c5dunknownunknown
    • 0x4c00:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
    • 0x4c50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
    SSBFSIj3wkLinux_Trojan_Mirai_24c5b7d6unknownunknown
    • 0xad72:$a: 54 38 1C 80 FA 3E 74 25 80 FA 3A 74 20 80 FA 24 74 1B 80 FA 23
    SSBFSIj3wkLinux_Trojan_Mirai_88de437funknownunknown
    • 0xc722:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
    SSBFSIj3wkLinux_Trojan_Mirai_ae9d0fa6unknownunknown
    • 0xd82:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
    Click to see the 2 entries
    SourceRuleDescriptionAuthorStrings
    6228.1.0000000008048000.000000000805c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6228.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
      • 0x4c00:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
      • 0x4c50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
      6228.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_24c5b7d6unknownunknown
      • 0xad72:$a: 54 38 1C 80 FA 3E 74 25 80 FA 3A 74 20 80 FA 24 74 1B 80 FA 23
      6228.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_88de437funknownunknown
      • 0xc722:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
      6228.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_ae9d0fa6unknownunknown
      • 0xd82:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
      Click to see the 16 entries
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: SSBFSIj3wkVirustotal: Detection: 53%Perma Link
      Source: SSBFSIj3wkReversingLabs: Detection: 62%
      Source: SSBFSIj3wkJoe Sandbox ML: detected
      Source: global trafficTCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312
      Source: unknownDNS traffic detected: queries for: arcticboatz.cz
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55578
      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 68.195.50.67
      Source: unknownTCP traffic detected without corresponding DNS query: 162.167.117.199
      Source: unknownTCP traffic detected without corresponding DNS query: 202.81.32.67
      Source: unknownTCP traffic detected without corresponding DNS query: 86.40.59.64
      Source: unknownTCP traffic detected without corresponding DNS query: 147.74.30.71
      Source: unknownTCP traffic detected without corresponding DNS query: 76.17.6.164
      Source: unknownTCP traffic detected without corresponding DNS query: 69.86.168.58
      Source: unknownTCP traffic detected without corresponding DNS query: 47.108.79.178
      Source: unknownTCP traffic detected without corresponding DNS query: 87.213.96.138
      Source: unknownTCP traffic detected without corresponding DNS query: 58.100.198.137
      Source: unknownTCP traffic detected without corresponding DNS query: 76.246.243.225
      Source: unknownTCP traffic detected without corresponding DNS query: 186.83.62.48
      Source: unknownTCP traffic detected without corresponding DNS query: 217.191.83.36
      Source: unknownTCP traffic detected without corresponding DNS query: 13.174.202.182
      Source: unknownTCP traffic detected without corresponding DNS query: 204.88.189.98
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.137.9
      Source: unknownTCP traffic detected without corresponding DNS query: 197.24.15.249
      Source: unknownTCP traffic detected without corresponding DNS query: 42.17.65.121
      Source: unknownTCP traffic detected without corresponding DNS query: 96.187.111.50
      Source: unknownTCP traffic detected without corresponding DNS query: 32.216.5.41
      Source: unknownTCP traffic detected without corresponding DNS query: 192.138.244.88
      Source: unknownTCP traffic detected without corresponding DNS query: 213.175.18.187
      Source: unknownTCP traffic detected without corresponding DNS query: 153.235.57.169
      Source: unknownTCP traffic detected without corresponding DNS query: 68.76.31.148
      Source: unknownTCP traffic detected without corresponding DNS query: 41.26.95.169
      Source: unknownTCP traffic detected without corresponding DNS query: 53.200.235.95
      Source: unknownTCP traffic detected without corresponding DNS query: 246.102.69.11
      Source: unknownTCP traffic detected without corresponding DNS query: 46.69.90.219
      Source: unknownTCP traffic detected without corresponding DNS query: 46.219.79.180
      Source: unknownTCP traffic detected without corresponding DNS query: 165.221.112.169
      Source: unknownTCP traffic detected without corresponding DNS query: 96.4.121.61
      Source: unknownTCP traffic detected without corresponding DNS query: 27.96.57.37
      Source: unknownTCP traffic detected without corresponding DNS query: 113.155.135.253
      Source: unknownTCP traffic detected without corresponding DNS query: 37.115.7.130
      Source: unknownTCP traffic detected without corresponding DNS query: 156.254.243.153
      Source: unknownTCP traffic detected without corresponding DNS query: 82.84.103.132
      Source: unknownTCP traffic detected without corresponding DNS query: 46.50.141.75
      Source: unknownTCP traffic detected without corresponding DNS query: 70.21.242.15
      Source: unknownTCP traffic detected without corresponding DNS query: 171.189.146.162
      Source: unknownTCP traffic detected without corresponding DNS query: 91.215.171.38
      Source: unknownTCP traffic detected without corresponding DNS query: 105.113.252.83
      Source: unknownTCP traffic detected without corresponding DNS query: 98.242.35.32
      Source: unknownTCP traffic detected without corresponding DNS query: 254.246.149.1
      Source: unknownTCP traffic detected without corresponding DNS query: 98.71.162.169
      Source: unknownTCP traffic detected without corresponding DNS query: 163.190.194.226
      Source: unknownTCP traffic detected without corresponding DNS query: 12.221.134.193
      Source: unknownTCP traffic detected without corresponding DNS query: 178.226.172.132
      Source: unknownTCP traffic detected without corresponding DNS query: 8.195.127.199
      Source: unknownTCP traffic detected without corresponding DNS query: 88.234.97.251

      System Summary

      barindex
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: SSBFSIj3wk, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: /tmp/SSBFSIj3wk (PID: 6234)SIGKILL sent: pid: 936, result: successfulJump to behavior
      Source: Initial sampleString containing 'busybox' found: /bin/busybox AK1K2
      Source: Initial sampleString containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
      Source: Initial sampleString containing 'busybox' found: Connected To CNCrootarm5arm6arm7oginsernamevrdvsccountenterasswordusyboxulti-callhelp$#~nvalidailedncorrecteniedrroroodbyebad: applet not found/var//dev//mnt//var/run//var/tmp//dev/netslink//dev/shm//bin//etc//boot//usr//sys/xc3511xmhdipcklv123hi3518jvbzd1234562wj9fsa2>%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
      Source: classification engineClassification label: mal68.troj.lin@0/0@43/0
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/6234/exeJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/491/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/793/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/772/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/796/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/774/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/797/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/777/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/799/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/658/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/912/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/759/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/936/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/918/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/1/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/761/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/785/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/884/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/720/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/721/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/788/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/789/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/800/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/801/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/847/fdJump to behavior
      Source: /tmp/SSBFSIj3wk (PID: 6234)File opened: /proc/904/fdJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: SSBFSIj3wk, type: SAMPLE
      Source: Yara matchFile source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: SSBFSIj3wk, type: SAMPLE
      Source: Yara matchFile source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
      OS Credential Dumping
      System Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Non-Standard Port
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer2
      Application Layer Protocol
      SIM Card SwapCarrier Billing Fraud
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679620 Sample: SSBFSIj3wk Startdate: 06/08/2022 Architecture: LINUX Score: 68 25 arcticboatz.cz 2->25 27 94.142.35.113, 23 ZAIN-JO Jordan 2->27 29 99 other IPs or domains 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Mirai 2->35 37 Machine Learning detection for sample 2->37 9 SSBFSIj3wk 2->9         started        signatures3 process4 process5 11 SSBFSIj3wk 9->11         started        13 SSBFSIj3wk 9->13         started        15 SSBFSIj3wk 9->15         started        17 SSBFSIj3wk 9->17         started        process6 19 SSBFSIj3wk 11->19         started        21 SSBFSIj3wk 11->21         started        process7 23 SSBFSIj3wk 19->23         started       
      SourceDetectionScannerLabelLink
      SSBFSIj3wk54%VirustotalBrowse
      SSBFSIj3wk62%ReversingLabsLinux.Trojan.Mirai
      SSBFSIj3wk100%Joe Sandbox ML
      No Antivirus matches
      SourceDetectionScannerLabelLink
      arcticboatz.cz12%VirustotalBrowse
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      arcticboatz.cz
      46.23.109.40
      truetrueunknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      44.103.235.54
      unknownUnited States
      54869ROCKCOM-COUSfalse
      83.32.29.72
      unknownSpain
      3352TELEFONICA_DE_ESPANAESfalse
      218.134.63.159
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      240.153.133.162
      unknownReserved
      unknownunknownfalse
      153.177.50.112
      unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
      188.97.99.57
      unknownGermany
      3209VODANETInternationalIP-BackboneofVodafoneDEfalse
      250.168.161.155
      unknownReserved
      unknownunknownfalse
      163.208.145.140
      unknownJapan7502IP-KYOTOAdvancedSoftwareTechnologyManagementResearchfalse
      95.131.166.89
      unknownSpain
      43402CABLEMURCIA-ASESfalse
      156.147.203.4
      unknownKorea Republic of
      4668LGNET-AS-KRLGCNSKRfalse
      255.165.202.25
      unknownReserved
      unknownunknownfalse
      63.167.147.153
      unknownUnited States
      1239SPRINTLINKUSfalse
      73.152.2.152
      unknownUnited States
      7922COMCAST-7922USfalse
      59.46.183.89
      unknownChina
      134762CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDalifalse
      73.184.255.191
      unknownUnited States
      7922COMCAST-7922USfalse
      207.252.205.231
      unknownUnited States
      10844VASTNETUSfalse
      57.81.243.103
      unknownBelgium
      51964ORANGE-BUSINESS-SERVICES-IPSN-ASNFRfalse
      37.87.36.218
      unknownGermany
      3320DTAGInternetserviceprovideroperationsDEfalse
      95.205.71.207
      unknownSweden
      3301TELIANET-SWEDENTeliaCompanySEfalse
      200.231.73.25
      unknownBrazil
      4230CLAROSABRfalse
      241.184.140.21
      unknownReserved
      unknownunknownfalse
      218.134.15.254
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      58.192.126.26
      unknownChina
      4538ERX-CERNET-BKBChinaEducationandResearchNetworkCenterfalse
      255.235.190.240
      unknownReserved
      unknownunknownfalse
      143.0.247.198
      unknownArgentina
      12150COTELCAMARfalse
      154.212.36.122
      unknownSeychelles
      54600PEGTECHINCUSfalse
      223.115.154.186
      unknownChina
      9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
      116.60.113.195
      unknownChina
      4538ERX-CERNET-BKBChinaEducationandResearchNetworkCenterfalse
      61.153.236.127
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      195.70.86.194
      unknownUnited Kingdom
      5413AS5413GBfalse
      203.139.210.85
      unknownJapan7522STCNSTNetIncorporatedJPfalse
      166.135.50.33
      unknownUnited States
      20057ATT-MOBILITY-LLC-AS20057USfalse
      100.202.107.221
      unknownUnited States
      21928T-MOBILE-AS21928USfalse
      94.142.35.113
      unknownJordan
      48832ZAIN-JOfalse
      157.5.26.205
      unknownunknown
      7671MCNETNTTSmartConnectCorporationJPfalse
      141.251.187.126
      unknownUnited States
      137ASGARRConsortiumGARREUfalse
      169.23.102.21
      unknownUnited States
      37611AfrihostZAfalse
      24.161.107.219
      unknownUnited States
      12271TWC-12271-NYCUSfalse
      37.160.127.180
      unknownFrance
      51207FREEMFRfalse
      91.203.191.63
      unknownRussian Federation
      47133PROSERVIS-ASRUfalse
      171.2.26.208
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      109.171.7.56
      unknownRussian Federation
      15774TTK-RTLRetailRUfalse
      75.140.122.162
      unknownUnited States
      20115CHARTER-20115USfalse
      254.230.35.232
      unknownReserved
      unknownunknownfalse
      133.84.38.220
      unknownJapan55904KOGAKUIN-ASKOGAKUINUniversityJPfalse
      88.7.59.13
      unknownSpain
      3352TELEFONICA_DE_ESPANAESfalse
      172.185.86.22
      unknownUnited States
      7018ATT-INTERNET4USfalse
      164.57.104.9
      unknownUnited States
      4583WESTPUB-AUSfalse
      216.112.242.9
      unknownUnited States
      16908ATRGNJ01USfalse
      17.18.116.47
      unknownUnited States
      714APPLE-ENGINEERINGUSfalse
      192.90.239.37
      unknownUnited States
      6BULL-HNUSfalse
      101.192.60.126
      unknownChina
      58519CHINATELECOM-CTCLOUDCloudComputingCorporationCNfalse
      108.163.30.102
      unknownUnited States
      394855STRATUS-VIDEOUSfalse
      27.231.45.60
      unknownJapan9605DOCOMONTTDOCOMOINCJPfalse
      209.164.3.242
      unknownUnited States
      20021LNH-INCUSfalse
      123.50.17.4
      unknownJapan10013FBDCFreeBitCoLtdJPfalse
      14.71.104.161
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      113.243.219.18
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      40.48.11.142
      unknownUnited States
      4249LILLY-ASUSfalse
      241.67.85.216
      unknownReserved
      unknownunknownfalse
      208.239.240.221
      unknownUnited States
      13768COGECO-PEER1CAfalse
      113.109.71.70
      unknownChina
      4816CHINANET-IDC-GDChinaTelecomGroupCNfalse
      183.155.198.11
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      148.9.92.66
      unknownUnited States
      3745NTTDATA-SERVICES-AS2USfalse
      253.171.215.12
      unknownReserved
      unknownunknownfalse
      70.155.118.151
      unknownUnited States
      7018ATT-INTERNET4USfalse
      68.167.229.184
      unknownUnited States
      18566MEGAPATH5-USfalse
      171.6.150.42
      unknownThailand
      45758TRIPLETNET-AS-APTripleTInternetTripleTBroadbandTHfalse
      168.171.222.80
      unknownUnited States
      26675REGIONIVESCUSfalse
      195.35.225.223
      unknownNetherlands
      33915TNF-ASNLfalse
      186.18.44.202
      unknownArgentina
      27747TelecentroSAARfalse
      60.23.236.124
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      190.169.220.210
      unknownVenezuela
      19192UniversidadCentraldeVenezuelaVEfalse
      37.64.35.82
      unknownFrance
      15557LDCOMNETFRfalse
      167.70.229.253
      unknownUnited States
      4583WESTPUB-AUSfalse
      117.255.236.170
      unknownIndia
      9829BSNL-NIBNationalInternetBackboneINfalse
      46.93.33.38
      unknownGermany
      3320DTAGInternetserviceprovideroperationsDEfalse
      241.150.197.74
      unknownReserved
      unknownunknownfalse
      85.131.188.72
      unknownGermany
      34309LINK11Link11GmbHDEfalse
      160.24.168.80
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      32.72.230.211
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      244.10.65.196
      unknownReserved
      unknownunknownfalse
      102.57.17.177
      unknownEgypt
      36992ETISALAT-MISREGfalse
      185.141.123.213
      unknownGermany
      204877DE-KUPPERDEfalse
      130.186.232.206
      unknownItaly
      8612TISCALI-ITfalse
      253.105.21.80
      unknownReserved
      unknownunknownfalse
      149.142.140.161
      unknownUnited States
      52UCLAUSfalse
      187.132.216.121
      unknownMexico
      8151UninetSAdeCVMXfalse
      145.176.119.1
      unknownNetherlands
      59524KPN-IAASNLfalse
      205.237.29.21
      unknownCanada
      54783AS-CSDUROYCAfalse
      126.26.13.179
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      34.227.215.61
      unknownUnited States
      14618AMAZON-AESUSfalse
      107.101.195.20
      unknownUnited States
      7018ATT-INTERNET4USfalse
      65.62.1.156
      unknownUnited States
      32475SINGLEHOP-LLCUSfalse
      5.161.109.193
      unknownGermany
      24940HETZNER-ASDEfalse
      152.45.146.132
      unknownUnited States
      81NCRENUSfalse
      130.237.37.142
      unknownSweden
      1653SUNETSUNETSwedishUniversityNetworkEUfalse
      4.19.51.100
      unknownUnited States
      3356LEVEL3USfalse
      115.17.11.183
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      205.215.136.177
      unknownUnited States
      26638MPLS-PUBLIC-SCHOOLSUSfalse
      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      73.152.2.1520o3cga3omPGet hashmaliciousBrowse
        armGet hashmaliciousBrowse
          armv4lGet hash