Source: 053KMGBaf9 |
Virustotal: Detection: 50% |
Perma Link |
Source: 053KMGBaf9 |
Metadefender: Detection: 37% |
Perma Link |
Source: 053KMGBaf9 |
ReversingLabs: Detection: 69% |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51542 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51548 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51560 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51568 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51574 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51584 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51588 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51594 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51600 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51606 |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312 |
Source: /tmp/053KMGBaf9 (PID: 6229) |
Socket: 127.0.0.1::1312 |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
Socket: 0.0.0.0::0 |
Jump to behavior |
Source: unknown |
DNS traffic detected: queries for: arcticboatz.cz |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.74.31.21 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.161.98.18 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 155.34.244.106 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.209.56.17 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.122.189.108 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 201.135.200.22 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 125.235.29.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.47.7.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.251.177.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 63.59.137.131 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.105.170.167 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 78.197.185.174 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 144.34.161.111 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 35.112.99.253 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 81.104.239.23 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.41.84.199 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.54.200.64 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.9.155.125 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.25.215.113 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 83.209.244.162 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 12.29.178.49 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 48.89.213.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 186.130.154.124 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 97.183.9.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.45.227.121 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 9.216.158.196 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 115.126.79.5 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.0.13.51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 17.225.111.190 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 199.47.95.60 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 58.7.226.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.117.208.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 248.33.255.247 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 166.235.19.193 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.172.185.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 174.41.254.172 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.134.228.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 164.186.199.29 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.157.187.10 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 90.52.235.247 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 223.125.161.4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 106.20.54.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 48.62.25.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 100.231.39.160 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 213.107.6.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 9.254.102.218 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 1.221.116.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 242.207.58.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 177.239.135.16 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 97.196.1.36 |
Source: ELF static info symbol of initial sample |
Name: attack.c |
Source: ELF static info symbol of initial sample |
Name: attack_get_opt_int |
Source: ELF static info symbol of initial sample |
Name: attack_get_opt_ip |
Source: ELF static info symbol of initial sample |
Name: attack_get_opt_str |
Source: ELF static info symbol of initial sample |
Name: attack_init |
Source: ELF static info symbol of initial sample |
Name: attack_kill_all |
Source: ELF static info symbol of initial sample |
Name: attack_method.c |
Source: ELF static info symbol of initial sample |
Name: attack_method_greeth |
Source: ELF static info symbol of initial sample |
Name: attack_method_greip |
Source: ELF static info symbol of initial sample |
Name: attack_method_std |
Source: 053KMGBaf9, type: SAMPLE |
Matched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant |
Source: 053KMGBaf9 |
ELF static info symbol of initial sample: __gnu_unwind_execute |
Source: /tmp/053KMGBaf9 (PID: 6241) |
SIGKILL sent: pid: 936, result: successful |
Jump to behavior |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox AK1K2 |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: Initial sample |
String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: classification engine |
Classification label: mal72.troj.lin@0/0@47/0 |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/491/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/793/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/772/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/796/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/774/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/797/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/777/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/799/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/658/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/912/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/759/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/936/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/918/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/1/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/761/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/785/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/884/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/720/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/721/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/788/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/789/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/800/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/801/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/847/fd |
Jump to behavior |
Source: /tmp/053KMGBaf9 (PID: 6241) |
File opened: /proc/904/fd |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51542 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51548 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51560 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51568 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51574 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51584 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51588 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51594 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51600 |
Source: unknown |
Network traffic detected: HTTP traffic on port 23 -> 51606 |
Source: /tmp/053KMGBaf9 (PID: 6229) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: 053KMGBaf9, 6229.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6328.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6242.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp |
Binary or memory string: Cx86_64/usr/bin/qemu-arm/tmp/053KMGBaf9SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/053KMGBaf9 |
Source: 053KMGBaf9, 6229.1.0000558cfce46000.0000558cfcf96000.rw-.sdmp, 053KMGBaf9, 6328.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp, 053KMGBaf9, 6242.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: 053KMGBaf9, 6229.1.0000558cfce46000.0000558cfcf96000.rw-.sdmp, 053KMGBaf9, 6328.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp, 053KMGBaf9, 6242.1.0000558cfce46000.0000558cfcf74000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: 053KMGBaf9, 6229.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6328.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp, 053KMGBaf9, 6242.1.00007ffe9ccb7000.00007ffe9ccd8000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: Yara match |
File source: 053KMGBaf9, type: SAMPLE |
Source: Yara match |
File source: 6328.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6242.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6229.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 053KMGBaf9, type: SAMPLE |
Source: Yara match |
File source: 6328.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6242.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 6229.1.00007f9504017000.00007f9504033000.r-x.sdmp, type: MEMORY |