Linux Analysis Report
053KMGBaf9

Overview

General Information

Sample Name:	053KMGBaf9
Analysis ID:	679626
MD5:	c57334b670d157d68d65d60cea48de7c
SHA1:	614f699b13119099ddbf8721dceddd2d67599c9d
SHA256:	5c1314b1b4c355204fc24ab311535e257002c54e6372fda79b3906cd3f70b09c
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Contains symbols with names commonly found in malware

Yara signature match

Yara detected Mirai

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample and/or dropped files contains symbols with suspicious names

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 053KMGBaf9

Avira: detected

Multi AV Scanner detection for submitted file

Source: 053KMGBaf9	Virustotal: Detection: 50%	Perma Link
Source: 053KMGBaf9	Metadefender: Detection: 37%	Perma Link
Source: 053KMGBaf9	ReversingLabs: Detection: 69%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51548
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51560
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51574
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51584
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51588
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51594
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51606

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312

Sample listens on a socket

Source: /tmp/053KMGBaf9 (PID: 6229)	Socket: 127.0.0.1::1312			Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	Socket: 0.0.0.0::0			Jump to behavior

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 147.74.31.21
Source: unknown	TCP traffic detected without corresponding DNS query: 34.161.98.18
Source: unknown	TCP traffic detected without corresponding DNS query: 155.34.244.106
Source: unknown	TCP traffic detected without corresponding DNS query: 94.209.56.17
Source: unknown	TCP traffic detected without corresponding DNS query: 67.122.189.108
Source: unknown	TCP traffic detected without corresponding DNS query: 201.135.200.22
Source: unknown	TCP traffic detected without corresponding DNS query: 125.235.29.85
Source: unknown	TCP traffic detected without corresponding DNS query: 85.47.7.119
Source: unknown	TCP traffic detected without corresponding DNS query: 67.251.177.228
Source: unknown	TCP traffic detected without corresponding DNS query: 63.59.137.131
Source: unknown	TCP traffic detected without corresponding DNS query: 85.105.170.167
Source: unknown	TCP traffic detected without corresponding DNS query: 78.197.185.174
Source: unknown	TCP traffic detected without corresponding DNS query: 144.34.161.111
Source: unknown	TCP traffic detected without corresponding DNS query: 35.112.99.253
Source: unknown	TCP traffic detected without corresponding DNS query: 81.104.239.23
Source: unknown	TCP traffic detected without corresponding DNS query: 146.41.84.199
Source: unknown	TCP traffic detected without corresponding DNS query: 117.54.200.64
Source: unknown	TCP traffic detected without corresponding DNS query: 109.9.155.125
Source: unknown	TCP traffic detected without corresponding DNS query: 200.25.215.113
Source: unknown	TCP traffic detected without corresponding DNS query: 83.209.244.162
Source: unknown	TCP traffic detected without corresponding DNS query: 12.29.178.49
Source: unknown	TCP traffic detected without corresponding DNS query: 48.89.213.40
Source: unknown	TCP traffic detected without corresponding DNS query: 186.130.154.124
Source: unknown	TCP traffic detected without corresponding DNS query: 97.183.9.204
Source: unknown	TCP traffic detected without corresponding DNS query: 94.45.227.121
Source: unknown	TCP traffic detected without corresponding DNS query: 9.216.158.196
Source: unknown	TCP traffic detected without corresponding DNS query: 115.126.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 158.0.13.51
Source: unknown	TCP traffic detected without corresponding DNS query: 17.225.111.190
Source: unknown	TCP traffic detected without corresponding DNS query: 199.47.95.60
Source: unknown	TCP traffic detected without corresponding DNS query: 58.7.226.202
Source: unknown	TCP traffic detected without corresponding DNS query: 2.117.208.6
Source: unknown	TCP traffic detected without corresponding DNS query: 248.33.255.247
Source: unknown	TCP traffic detected without corresponding DNS query: 166.235.19.193
Source: unknown	TCP traffic detected without corresponding DNS query: 104.172.185.82
Source: unknown	TCP traffic detected without corresponding DNS query: 174.41.254.172
Source: unknown	TCP traffic detected without corresponding DNS query: 119.134.228.55
Source: unknown	TCP traffic detected without corresponding DNS query: 164.186.199.29
Source: unknown	TCP traffic detected without corresponding DNS query: 158.157.187.10
Source: unknown	TCP traffic detected without corresponding DNS query: 90.52.235.247
Source: unknown	TCP traffic detected without corresponding DNS query: 223.125.161.4
Source: unknown	TCP traffic detected without corresponding DNS query: 106.20.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 48.62.25.163
Source: unknown	TCP traffic detected without corresponding DNS query: 100.231.39.160
Source: unknown	TCP traffic detected without corresponding DNS query: 213.107.6.93
Source: unknown	TCP traffic detected without corresponding DNS query: 9.254.102.218
Source: unknown	TCP traffic detected without corresponding DNS query: 1.221.116.148
Source: unknown	TCP traffic detected without corresponding DNS query: 242.207.58.33
Source: unknown	TCP traffic detected without corresponding DNS query: 177.239.135.16
Source: unknown	TCP traffic detected without corresponding DNS query: 97.196.1.36

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_kill_all
Source: ELF static info symbol of initial sample	Name: attack_method.c
Source: ELF static info symbol of initial sample	Name: attack_method_greeth
Source: ELF static info symbol of initial sample	Name: attack_method_greip
Source: ELF static info symbol of initial sample	Name: attack_method_std

Yara signature match

Source: 053KMGBaf9, type: SAMPLE

Matched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant

Sample and/or dropped files contains symbols with suspicious names

Source: 053KMGBaf9

ELF static info symbol of initial sample: __gnu_unwind_execute

Sample tries to kill a process (SIGKILL)

Source: /tmp/053KMGBaf9 (PID: 6241)

SIGKILL sent: pid: 936, result: successful

Jump to behavior

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'

Source: classification engine

Classification label: mal72.troj.lin@0/0@47/0

Enumerates processes within the "proc" file system

Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/491/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/793/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/772/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/796/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/774/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/797/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/799/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/658/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/912/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/759/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/936/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/918/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/761/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/785/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/884/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/720/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/721/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/788/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/789/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/801/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/847/fd	Jump to behavior
Source: /tmp/053KMGBaf9 (PID: 6241)	File opened: /proc/904/fd	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51548
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51560
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51574
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51584
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51588
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51594
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51606

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/053KMGBaf9 (PID: 6229)

Queries kernel information via 'uname':

Jump to behavior

Source: 053KMGBaf9, 6229.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6328.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6242.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp	Binary or memory string: Cx86_64/usr/bin/qemu-arm/tmp/053KMGBaf9SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/053KMGBaf9
Source: 053KMGBaf9, 6229.1.0000558cfce46000.0000558cfcf96000.rw-.sdmp, 053KMGBaf9, 6328.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp, 053KMGBaf9, 6242.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 053KMGBaf9, 6229.1.0000558cfce46000.0000558cfcf96000.rw-.sdmp, 053KMGBaf9, 6328.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp, 053KMGBaf9, 6242.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 053KMGBaf9, 6229.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6328.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6242.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Yara detected Mirai

Source: Yara match	File source: 053KMGBaf9, type: SAMPLE
Source: Yara match	File source: 6328.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6242.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6229.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: 053KMGBaf9, type: SAMPLE
Source: Yara match	File source: 6328.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6242.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6229.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
166.7.72.217	unknown	United States	4152	USDA-1US	false
252.7.104.73	unknown	Reserved	unknown	unknown	false
58.24.164.126	unknown	China	9812	CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN	false
240.190.252.10	unknown	Reserved	unknown	unknown	false
245.90.184.171	unknown	Reserved	unknown	unknown	false
252.23.219.123	unknown	Reserved	unknown	unknown	false
220.239.175.195	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
153.154.14.21	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
200.2.112.243	unknown	Chile	11340	RedUniversitariaNacionalCL	false
165.59.70.26	unknown	Zambia	37154	ZAMTELZM	false
162.226.107.190	unknown	United States	7018	ATT-INTERNET4US	false
207.9.61.171	unknown	United States	2828	XO-AS15US	false
5.71.50.161	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
160.16.155.143	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	false
107.116.72.33	unknown	United States	7018	ATT-INTERNET4US	false
34.202.132.169	unknown	United States	14618	AMAZON-AESUS	false
40.128.249.10	unknown	United States	7029	WINDSTREAMUS	false
188.61.151.65	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
31.89.220.128	unknown	United Kingdom	12576	EELtdGB	false
2.139.108.167	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
1.95.70.185	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
118.243.197.102	unknown	Japan	4685	ASAHI-NETAsahiNetJP	false
8.63.103.106	unknown	United States	3356	LEVEL3US	false
117.234.157.89	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
83.177.179.149	unknown	Sweden	39651	COMHEM-SWEDENSE	false
20.104.11.37	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.252.54.190	unknown	United States	4249	LILLY-ASUS	false
220.104.185.229	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
4.239.231.7	unknown	United States	3356	LEVEL3US	false
65.161.79.168	unknown	United States	1239	SPRINTLINKUS	false
162.108.11.138	unknown	United States	13325	STOMIUS	false
125.25.83.207	unknown	Thailand	23969	TOT-NETTOTPublicCompanyLimitedTH	false
204.99.50.171	unknown	United States	18862	NCS-HEALTHCAREUS	false
9.137.26.21	unknown	United States	3356	LEVEL3US	false
181.40.129.215	unknown	Paraguay	23201	TelecelSAPY	false
172.97.92.241	unknown	United States	40676	AS40676US	false
220.171.72.19	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
147.158.158.127	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
208.29.80.117	unknown	United States	1239	SPRINTLINKUS	false
60.122.129.154	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
249.243.93.216	unknown	Reserved	unknown	unknown	false
86.163.251.200	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
212.148.188.98	unknown	United Kingdom	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
174.214.108.48	unknown	United States	22394	CELLCOUS	false
78.107.50.86	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
44.6.26.184	unknown	United States	7377	UCSDUS	false
100.8.235.184	unknown	United States	701	UUNETUS	false
218.176.202.247	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
119.30.180.255	unknown	Korea Republic of	38086	IP4NET-AS-KRIP4NetworksIncKR	false
48.129.51.241	unknown	United States	2686	ATGS-MMD-ASUS	false
53.251.99.242	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
205.143.25.14	unknown	United States	30404	BSCL-11US	false
217.209.212.151	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
89.16.77.149	unknown	Ireland	35226	RIPPLECOM-ASIE	false
96.32.199.65	unknown	United States	20115	CHARTER-20115US	false
39.217.19.48	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
43.201.19.65	unknown	Japan	4249	LILLY-ASUS	false
162.120.134.193	unknown	United States	18722	SUPERVALUUS	false
54.137.40.142	unknown	United States	14618	AMAZON-AESUS	false
90.187.61.70	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
198.35.163.211	unknown	United States	3380	PPPL-AS1US	false
190.29.97.132	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
157.215.240.65	unknown	United States	4704	SANNETRakutenMobileIncJP	false
73.97.127.126	unknown	United States	7922	COMCAST-7922US	false
113.40.35.225	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
150.135.225.43	unknown	United States	1706	UNIV-ARIZUS	false
91.142.10.36	unknown	Latvia	20910	BALTKOM-ASLV	false
150.27.60.97	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
58.116.87.231	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
208.38.90.37	unknown	United States	7029	WINDSTREAMUS	false
162.251.90.156	unknown	United States	53830	VPDC-1US	false
221.135.3.149	unknown	India	9583	SIFY-AS-INSifyLimitedIN	false
98.169.64.216	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
117.234.133.71	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
240.126.231.43	unknown	Reserved	unknown	unknown	false
142.114.121.47	unknown	Canada	577	BACOMCA	false
24.202.78.13	unknown	Canada	5769	VIDEOTRONCA	false
53.169.5.216	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
198.156.62.157	unknown	United States	18676	AVAYAUS	false
194.128.173.39	unknown	United Kingdom	702	UUNETUS	false
207.123.91.103	unknown	United States	3356	LEVEL3US	false
141.158.165.102	unknown	United States	701	UUNETUS	false
77.233.117.177	unknown	France	42117	INOLIA-ASFR	false
119.189.1.241	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
68.73.144.167	unknown	United States	7018	ATT-INTERNET4US	false
92.126.57.123	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
152.33.196.114	unknown	United States	32417	ELONU-ASUS	false
249.238.2.114	unknown	Reserved	unknown	unknown	false
102.99.141.93	unknown	Morocco	36925	ASMediMA	false
209.52.64.255	unknown	Canada	852	ASN852CA	false
185.115.194.33	unknown	Germany	59921	SWFI-DE	false
183.147.200.128	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
197.55.34.206	unknown	Egypt	8452	TE-ASTE-ASEG	false
58.234.32.246	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
87.123.149.108	unknown	Germany	8881	VERSATELDE	false
17.196.104.95	unknown	United States	714	APPLE-ENGINEERINGUS	false
155.160.24.81	unknown	Japan	37532	ZAMRENZM	false
103.54.19.215	unknown	India	134000	GBPSNETWORKS-AS-INGBPSNETWORKSPRIVATELIMITEDIN	false
243.48.194.102	unknown	Reserved	unknown	unknown	false
174.55.9.75	unknown	United States	7922	COMCAST-7922US	false

Contacted Domains

Name	IP	Active
arcticboatz.cz	46.23.109.40	true

ID:	679626
Product:	CloudBasic
Start time:	07:09:31
Start date:	06.08.2022
Sample:	053KMGBaf9
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	c57334b670d157d68d65d60cea48de7c
SHA1:	614f699b13119099ddbf8721dceddd2d67599c9d
SHA256:	5c1314b1b4c355204fc24ab311535e257002c54e6372fda79b3906cd3f70b09c
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
053KMGBaf9

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report 053KMGBaf9

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
053KMGBaf9