Linux Analysis Report
BWfKcndJCz

Overview

General Information

Sample Name:	BWfKcndJCz
Analysis ID:	679622
MD5:	00e2f1330f45468f78497ea8c73e0b3d
SHA1:	00562d888ec7a88f8023e8252aef1480234e7c06
SHA256:	febec5c5c4719ca23ad04e2f1b7ffe76b81035d5dd79d0eb1f61d9917886e022
Tags:	32elfmirairenesas
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: BWfKcndJCz	Virustotal: Detection: 40%			Perma Link
Source: BWfKcndJCz	ReversingLabs: Detection: 40%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49484
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49494
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43546
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49510
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49516
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43558
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49522
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43564
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49526
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43570
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49532
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43578
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43580
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57354
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57358
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57364
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57372
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57380
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57388

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312

Sample listens on a socket

Source: /tmp/BWfKcndJCz (PID: 6270)	Socket: 127.0.0.1::1312	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	Socket: 0.0.0.0::80	Jump to behavior

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 130.178.235.45
Source: unknown	TCP traffic detected without corresponding DNS query: 97.254.121.18
Source: unknown	TCP traffic detected without corresponding DNS query: 92.51.44.34
Source: unknown	TCP traffic detected without corresponding DNS query: 245.199.218.18
Source: unknown	TCP traffic detected without corresponding DNS query: 114.32.252.187
Source: unknown	TCP traffic detected without corresponding DNS query: 178.88.163.32
Source: unknown	TCP traffic detected without corresponding DNS query: 82.134.184.5
Source: unknown	TCP traffic detected without corresponding DNS query: 180.208.179.221
Source: unknown	TCP traffic detected without corresponding DNS query: 1.21.212.2
Source: unknown	TCP traffic detected without corresponding DNS query: 86.252.252.159
Source: unknown	TCP traffic detected without corresponding DNS query: 32.21.5.32
Source: unknown	TCP traffic detected without corresponding DNS query: 162.109.115.201
Source: unknown	TCP traffic detected without corresponding DNS query: 152.123.118.152
Source: unknown	TCP traffic detected without corresponding DNS query: 44.187.123.210
Source: unknown	TCP traffic detected without corresponding DNS query: 122.154.229.193
Source: unknown	TCP traffic detected without corresponding DNS query: 186.67.23.78
Source: unknown	TCP traffic detected without corresponding DNS query: 161.109.108.0
Source: unknown	TCP traffic detected without corresponding DNS query: 105.3.142.125
Source: unknown	TCP traffic detected without corresponding DNS query: 14.143.111.75
Source: unknown	TCP traffic detected without corresponding DNS query: 141.13.41.240
Source: unknown	TCP traffic detected without corresponding DNS query: 118.173.205.59
Source: unknown	TCP traffic detected without corresponding DNS query: 189.227.114.192
Source: unknown	TCP traffic detected without corresponding DNS query: 76.63.234.178
Source: unknown	TCP traffic detected without corresponding DNS query: 12.227.132.97
Source: unknown	TCP traffic detected without corresponding DNS query: 157.116.37.48
Source: unknown	TCP traffic detected without corresponding DNS query: 218.47.154.164
Source: unknown	TCP traffic detected without corresponding DNS query: 249.102.187.221
Source: unknown	TCP traffic detected without corresponding DNS query: 125.133.233.75
Source: unknown	TCP traffic detected without corresponding DNS query: 43.5.150.128
Source: unknown	TCP traffic detected without corresponding DNS query: 196.32.29.125
Source: unknown	TCP traffic detected without corresponding DNS query: 58.160.84.42
Source: unknown	TCP traffic detected without corresponding DNS query: 69.136.185.0
Source: unknown	TCP traffic detected without corresponding DNS query: 187.71.89.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.109.227.57
Source: unknown	TCP traffic detected without corresponding DNS query: 24.213.203.226
Source: unknown	TCP traffic detected without corresponding DNS query: 2.25.30.89
Source: unknown	TCP traffic detected without corresponding DNS query: 135.211.204.21
Source: unknown	TCP traffic detected without corresponding DNS query: 4.55.192.84
Source: unknown	TCP traffic detected without corresponding DNS query: 65.184.48.58
Source: unknown	TCP traffic detected without corresponding DNS query: 157.226.29.109
Source: unknown	TCP traffic detected without corresponding DNS query: 35.139.194.3
Source: unknown	TCP traffic detected without corresponding DNS query: 109.49.145.61
Source: unknown	TCP traffic detected without corresponding DNS query: 73.20.159.185
Source: unknown	TCP traffic detected without corresponding DNS query: 250.130.92.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.214.154.194
Source: unknown	TCP traffic detected without corresponding DNS query: 171.112.64.222
Source: unknown	TCP traffic detected without corresponding DNS query: 100.146.112.132
Source: unknown	TCP traffic detected without corresponding DNS query: 59.208.126.78
Source: unknown	TCP traffic detected without corresponding DNS query: 243.215.24.159
Source: unknown	TCP traffic detected without corresponding DNS query: 207.23.86.61

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/BWfKcndJCz (PID: 6281)

SIGKILL sent: pid: 936, result: successful

Jump to behavior

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'

Source: classification engine

Classification label: mal68.troj.lin@0/0@54/0

Enumerates processes within the "proc" file system

Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/BWfKcndJCz (PID: 6281)	File opened: /proc/904/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49484
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49494
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43546
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49510
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49516
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43558
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49522
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43564
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49526
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43570
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49532
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43578
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43580
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57354
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57358
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57364
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57372
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57380
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 57388

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/BWfKcndJCz (PID: 6270)

Queries kernel information via 'uname':

Jump to behavior

Source: BWfKcndJCz, 6270.1.00007ffe116e0000.00007ffe11701000.rw-.sdmp, BWfKcndJCz, 6368.1.00007ffe116e0000.00007ffe11701000.rw-.sdmp, BWfKcndJCz, 6282.1.00007ffe116e0000.00007ffe11701000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: BWfKcndJCz, 6270.1.000055ed5f758000.000055ed5f7bb000.rw-.sdmp, BWfKcndJCz, 6368.1.000055ed5f758000.000055ed5f7bb000.rw-.sdmp, BWfKcndJCz, 6282.1.000055ed5f758000.000055ed5f7bb000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: BWfKcndJCz, 6270.1.000055ed5f758000.000055ed5f7bb000.rw-.sdmp, BWfKcndJCz, 6368.1.000055ed5f758000.000055ed5f7bb000.rw-.sdmp, BWfKcndJCz, 6282.1.000055ed5f758000.000055ed5f7bb000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: BWfKcndJCz, 6270.1.00007ffe116e0000.00007ffe11701000.rw-.sdmp, BWfKcndJCz, 6368.1.00007ffe116e0000.00007ffe11701000.rw-.sdmp, BWfKcndJCz, 6282.1.00007ffe116e0000.00007ffe11701000.rw-.sdmp	Binary or memory string: _Nx86_64/usr/bin/qemu-sh4/tmp/BWfKcndJCzSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/BWfKcndJCz

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: BWfKcndJCz, type: SAMPLE
Source: Yara match	File source: 6368.1.00007f2810400000.00007f2810414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6282.1.00007f2810400000.00007f2810414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6270.1.00007f2810400000.00007f2810414000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: BWfKcndJCz, type: SAMPLE
Source: Yara match	File source: 6368.1.00007f2810400000.00007f2810414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6282.1.00007f2810400000.00007f2810414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6270.1.00007f2810400000.00007f2810414000.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
126.10.188.201	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
191.134.140.164	unknown	Brazil	26615	TIMSABR	false
168.185.112.82	unknown	United States	2386	INS-ASUS	false
116.169.60.178	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
186.181.146.219	unknown	Colombia	27831	ColombiaMovilCO	false
157.203.50.1	unknown	United Kingdom	21369	SEMA-UK-ASGB	false
222.80.178.18	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
73.253.134.102	unknown	United States	7922	COMCAST-7922US	false
42.79.216.60	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
176.16.193.37	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
77.23.0.57	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
181.154.149.91	unknown	Colombia	26611	COMCELSACO	false
113.42.126.196	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
27.175.240.67	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
87.208.121.118	unknown	Netherlands	13127	VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo	false
199.96.158.138	unknown	United States	22062	GEOSTARUS	false
121.86.7.47	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
155.121.107.248	unknown	United States	11003	PANDGUS	false
136.119.6.47	unknown	United States	15169	GOOGLEUS	false
114.201.214.133	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
250.16.193.230	unknown	Reserved	unknown	unknown	false
164.213.14.108	unknown	United States	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
222.144.23.95	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
163.181.147.225	unknown	United States	24429	TAOBAOZhejiangTaobaoNetworkCoLtdCN	false
252.47.3.232	unknown	Reserved	unknown	unknown	false
5.107.206.60	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
94.254.235.80	unknown	Poland	39603	P4NETP4UMTSoperatorinPolandPL	false
155.48.25.197	unknown	United States	16481	BABSON-GNETUS	false
145.85.43.211	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
96.170.253.129	unknown	United States	7922	COMCAST-7922US	false
218.167.76.255	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
24.85.18.231	unknown	Canada	6327	SHAWCA	false
20.34.247.98	unknown	United States	8070	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
4.177.46.104	unknown	United States	3356	LEVEL3US	false
8.187.66.174	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
158.128.175.63	unknown	Canada	721	DNIC-ASBLK-00721-00726US	false
66.33.146.154	unknown	United States	7270	NET2PHONEUS	false
8.128.253.249	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
202.128.70.152	unknown	Guam	3605	ERX-KUENTOS-ASGuamCablevisionLLCGU	false
39.240.223.214	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
245.70.135.90	unknown	Reserved	unknown	unknown	false
110.76.113.93	unknown	Korea Republic of	7622	ASN-KAIST-SALKoreaAdvancedInstituteofScienceandTechno	false
248.241.213.22	unknown	Reserved	unknown	unknown	false
191.8.139.153	unknown	Brazil	27699	TELEFONICABRASILSABR	false
68.177.52.155	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
166.212.225.201	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
65.90.237.12	unknown	United States	3356	LEVEL3US	false
163.98.17.196	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
112.36.133.70	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
171.57.98.160	unknown	India	9874	STARHUB-MOBILEStarHubLtdSG	false
12.4.247.94	unknown	United States	7018	ATT-INTERNET4US	false
65.154.209.218	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
216.44.168.165	unknown	United States	22691	ISPNET-1US	false
40.225.230.46	unknown	United States	4249	LILLY-ASUS	false
113.6.156.29	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
18.50.108.142	unknown	United States	3	MIT-GATEWAYSUS	false
249.178.22.21	unknown	Reserved	unknown	unknown	false
53.252.78.216	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
74.97.179.131	unknown	United States	701	UUNETUS	false
114.199.124.33	unknown	Indonesia	24525	SAP-AS-IDPTSolusiAksesindoPratamaID	false
20.65.181.143	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
187.75.183.70	unknown	Brazil	27699	TELEFONICABRASILSABR	false
112.27.106.149	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
2.78.125.73	unknown	Kazakhstan	29355	KCELL-ASKZ	false
245.183.87.51	unknown	Reserved	unknown	unknown	false
37.132.200.12	unknown	Spain	12479	UNI2-ASES	false
181.156.78.251	unknown	Colombia	26611	COMCELSACO	false
252.168.83.157	unknown	Reserved	unknown	unknown	false
122.195.233.191	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
255.220.26.136	unknown	Reserved	unknown	unknown	false
105.200.15.254	unknown	Egypt	36992	ETISALAT-MISREG	false
197.251.97.122	unknown	Sudan	37197	SUDRENSD	false
104.244.106.21	unknown	United States	4922	SHENTELUS	false
46.221.241.210	unknown	Turkey	15897	VODAFONETURKEYTR	false
106.82.15.179	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
39.149.103.74	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
207.206.52.98	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
94.121.41.190	unknown	Turkey	12978	DOGAN-ONLINETR	false
71.52.220.24	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
216.203.226.226	unknown	United States	2828	XO-AS15US	false
243.64.140.165	unknown	Reserved	unknown	unknown	false
125.197.52.84	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
169.81.211.206	unknown	United States	37611	AfrihostZA	false
87.255.170.252	unknown	Sweden	206114	HOFORSSE	false
121.217.223.251	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
86.15.30.45	unknown	United Kingdom	5089	NTLGB	false
198.134.219.204	unknown	Canada	393348	SUC-CORP1US	false
102.22.168.62	unknown	unknown	36924	GVA-CanalboxBJ	false
81.246.236.121	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
70.230.219.202	unknown	United States	7018	ATT-INTERNET4US	false
5.227.152.67	unknown	Russian Federation	8580	SANDYNizhnyNovgorodRussiaRU	false
146.217.84.168	unknown	United States	20478	GENMILLSUS	false
133.137.4.39	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
135.94.207.158	unknown	United States	29705	MOTIVE-COMMUNICATIONS-INCORPORATEDUS	false
101.16.254.242	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
217.187.39.197	unknown	Germany	6805	TDDE-ASN1DE	false
112.37.66.61	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
158.103.37.247	unknown	United States	33170	MORGAN-STATE-UNIVERSITYUS	false
163.84.28.196	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
81.6.84.77	unknown	Turkey	15897	VODAFONETURKEYTR	false

Contacted Domains

Name	IP	Active
arcticboatz.cz	46.23.109.40	true

ID:	679622
Product:	CloudBasic
Start time:	06:56:04
Start date:	06.08.2022
Sample:	BWfKcndJCz
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	00e2f1330f45468f78497ea8c73e0b3d
SHA1:	00562d888ec7a88f8023e8252aef1480234e7c06
SHA256:	febec5c5c4719ca23ad04e2f1b7ffe76b81035d5dd79d0eb1f61d9917886e022
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
BWfKcndJCz

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report BWfKcndJCz

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
BWfKcndJCz