Linux Analysis Report
HUIHmcbfpW

Overview

General Information

Sample Name: HUIHmcbfpW
Analysis ID: 680642
MD5: 7463d28ae705f29277567f6888315855
SHA1: ca0836b4c352f1dd91a77422b952987f466f40e3
SHA256: ed29224a554dd58df35208de727e297679bcbe2101d877e67736986deecffa8f
Tags: 32elfmiraipowerpc
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
ELF contains segments with high entropy indicating compressed/encrypted content

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: HUIHmcbfpW Virustotal: Detection: 41% Perma Link

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52774
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52804
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52824
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52834
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52838
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52850
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52856
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52864
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52870
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:35686 -> 208.67.106.33:1312
Sample listens on a socket
Source: /tmp/HUIHmcbfpW (PID: 6228) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) Socket: 0.0.0.0::0 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.106.33
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.106.33
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.106.33
Source: unknown TCP traffic detected without corresponding DNS query: 34.196.200.1
Source: unknown TCP traffic detected without corresponding DNS query: 213.223.108.162
Source: unknown TCP traffic detected without corresponding DNS query: 202.126.138.58
Source: unknown TCP traffic detected without corresponding DNS query: 118.55.100.58
Source: unknown TCP traffic detected without corresponding DNS query: 179.100.216.194
Source: unknown TCP traffic detected without corresponding DNS query: 196.207.30.117
Source: unknown TCP traffic detected without corresponding DNS query: 24.115.44.80
Source: unknown TCP traffic detected without corresponding DNS query: 165.14.99.245
Source: unknown TCP traffic detected without corresponding DNS query: 243.55.137.136
Source: unknown TCP traffic detected without corresponding DNS query: 184.99.170.148
Source: unknown TCP traffic detected without corresponding DNS query: 216.72.48.251
Source: unknown TCP traffic detected without corresponding DNS query: 63.87.34.207
Source: unknown TCP traffic detected without corresponding DNS query: 85.191.128.179
Source: unknown TCP traffic detected without corresponding DNS query: 178.117.176.43
Source: unknown TCP traffic detected without corresponding DNS query: 250.121.216.21
Source: unknown TCP traffic detected without corresponding DNS query: 172.99.97.86
Source: unknown TCP traffic detected without corresponding DNS query: 85.85.156.204
Source: unknown TCP traffic detected without corresponding DNS query: 247.143.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 153.195.100.147
Source: unknown TCP traffic detected without corresponding DNS query: 20.162.48.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.100.124.145
Source: unknown TCP traffic detected without corresponding DNS query: 202.95.72.248
Source: unknown TCP traffic detected without corresponding DNS query: 218.72.48.7
Source: unknown TCP traffic detected without corresponding DNS query: 81.83.174.195
Source: unknown TCP traffic detected without corresponding DNS query: 184.55.253.24
Source: unknown TCP traffic detected without corresponding DNS query: 95.227.201.237
Source: unknown TCP traffic detected without corresponding DNS query: 148.193.195.219
Source: unknown TCP traffic detected without corresponding DNS query: 135.73.167.4
Source: unknown TCP traffic detected without corresponding DNS query: 81.116.113.66
Source: unknown TCP traffic detected without corresponding DNS query: 74.67.21.210
Source: unknown TCP traffic detected without corresponding DNS query: 60.67.32.108
Source: unknown TCP traffic detected without corresponding DNS query: 124.91.82.9
Source: unknown TCP traffic detected without corresponding DNS query: 164.124.144.11
Source: unknown TCP traffic detected without corresponding DNS query: 57.136.201.248
Source: unknown TCP traffic detected without corresponding DNS query: 144.3.73.153
Source: unknown TCP traffic detected without corresponding DNS query: 4.160.44.112
Source: unknown TCP traffic detected without corresponding DNS query: 182.54.215.204
Source: unknown TCP traffic detected without corresponding DNS query: 161.144.42.95
Source: unknown TCP traffic detected without corresponding DNS query: 159.248.85.135
Source: unknown TCP traffic detected without corresponding DNS query: 159.165.131.77
Source: unknown TCP traffic detected without corresponding DNS query: 183.202.75.168
Source: unknown TCP traffic detected without corresponding DNS query: 37.208.213.227
Source: unknown TCP traffic detected without corresponding DNS query: 152.128.119.234
Source: unknown TCP traffic detected without corresponding DNS query: 196.53.232.254
Source: unknown TCP traffic detected without corresponding DNS query: 45.100.207.75
Source: unknown TCP traffic detected without corresponding DNS query: 218.13.131.203
Source: HUIHmcbfpW String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6336.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6336.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6229.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6229.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6228.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6228.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6342.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6342.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6330.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6330.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6235.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6235.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6325.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6325.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6226.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6226.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6228, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6228, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6235, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6235, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6330, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6330, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6336, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6336, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: HUIHmcbfpW PID: 6342, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: 6336.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6336.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6229.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6229.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6228.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6228.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6342.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6342.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6330.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6330.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6235.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6235.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6325.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6325.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6226.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6226.1.00007f8a6400b000.00007f8a64010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6228, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6228, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6235, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6235, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6330, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6330, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6336, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6336, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: HUIHmcbfpW PID: 6342, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Sample tries to kill a process (SIGKILL)
Source: /tmp/HUIHmcbfpW (PID: 6228) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.lin@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Enumerates processes within the "proc" file system
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/491/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/793/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/772/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/796/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/774/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/797/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/777/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/799/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/658/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/912/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/759/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/936/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/918/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/1/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/761/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/785/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/884/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/720/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/721/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/788/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/789/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/800/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/801/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/847/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6234) File opened: /proc/904/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/491/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/793/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/772/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/796/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/774/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/797/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/777/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/799/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/658/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/912/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/759/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/936/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/918/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/1/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/761/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/785/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/884/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/720/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/721/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/788/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/789/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/800/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/801/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/847/fd Jump to behavior
Source: /tmp/HUIHmcbfpW (PID: 6228) File opened: /proc/904/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52774
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52804
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52824
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52834
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52838
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52850
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52856
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52864
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52870
ELF contains segments with high entropy indicating compressed/encrypted content
Source: HUIHmcbfpW Submission file: segment LOAD with 7.9313 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/HUIHmcbfpW (PID: 6226) Queries kernel information via 'uname': Jump to behavior
Source: HUIHmcbfpW, 6226.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6228.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6325.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6342.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6330.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6229.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6336.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6235.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp Binary or memory string: 8x86_64/usr/bin/qemu-ppc/tmp/HUIHmcbfpWSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/HUIHmcbfpW
Source: HUIHmcbfpW, 6226.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: HUIHmcbfpW, 6228.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6325.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6342.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6330.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6229.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6336.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6235.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: HUIHmcbfpW, 6226.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6228.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6325.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6342.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6330.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6229.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6336.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp, HUIHmcbfpW, 6235.1.0000558ea9f73000.0000558eaa023000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: HUIHmcbfpW, 6226.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6228.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6325.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6342.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6330.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6229.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6336.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp, HUIHmcbfpW, 6235.1.00007ffda5dce000.00007ffda5def000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
115.70.214.247
 unknown Australia
10143 EXETEL-AS-APExetelPtyLtdAU false
75.108.75.216
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS false
93.195.229.176
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
34.133.78.216
 unknown United States
2686 ATGS-MMD-ASUS false
114.199.124.68
 unknown Indonesia
24525 SAP-AS-IDPTSolusiAksesindoPratamaID false
218.33.69.123
 unknown Indonesia
9919 NCIC-TWNewCenturyInfoCommTechCoLtdTW false
155.195.109.15
 unknown United States
8698 NationwideBuildingSocietyGB false
183.195.9.118
 unknown China
24400 CMNET-V4SHANGHAI-AS-APShanghaiMobileCommunicationsCoLt false
218.131.175.97
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
75.123.52.91
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
213.153.202.31
 unknown Turkey
34984 TELLCOM-ASTR false
34.81.60.26
 unknown United States
15169 GOOGLEUS false
244.122.119.68
 unknown Reserved
unknown unknown false
207.16.235.134
 unknown United States
701 UUNETUS false
35.1.148.43
 unknown United States
36375 UMICH-AS-5US false
41.225.142.123
 unknown Tunisia
37671 GLOBALNET-ASTN false
75.9.11.2
 unknown United States
7018 ATT-INTERNET4US false
17.226.59.114
 unknown United States
714 APPLE-ENGINEERINGUS false
18.8.247.30
 unknown United States
3 MIT-GATEWAYSUS false
108.184.71.71
 unknown United States
20001 TWC-20001-PACWESTUS false
80.94.206.63
 unknown United Kingdom
199335 TALKSTRAIGHTGB false
17.11.240.42
 unknown United States
714 APPLE-ENGINEERINGUS false
194.248.0.38
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
100.25.217.60
 unknown United States
14618 AMAZON-AESUS false
150.57.210.52
 unknown Japan 17511 OPTAGEOPTAGEIncJP false
17.45.206.26
 unknown United States
714 APPLE-ENGINEERINGUS false
1.20.112.75
 unknown Thailand
23969 TOT-NETTOTPublicCompanyLimitedTH false
169.25.164.54
 unknown United States
37611 AfrihostZA false
106.17.155.36
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
123.140.76.147
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
40.29.213.216
 unknown United States
4249 LILLY-ASUS false
27.66.85.154
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN false
178.255.242.149
 unknown Italy
13287 NIXVALIP-ASNIXVALDatacenterES false
125.153.47.14
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
65.201.108.232
 unknown United States
701 UUNETUS false
194.220.87.9
 unknown Spain
12430 VODAFONE_ESES false
78.204.247.20
 unknown France
12322 PROXADFR false
247.49.166.233
 unknown Reserved
unknown unknown false
70.139.248.245
 unknown United States
7018 ATT-INTERNET4US false
147.136.11.53
 unknown United States
16753 UNASSIGNED false
148.250.20.98
 unknown Mexico
6503 AxtelSABdeCVMX false
161.45.98.33
 unknown United States
26335 MTSUUS false
151.208.146.197
 unknown United States
11003 PANDGUS false
240.48.3.48
 unknown Reserved
unknown unknown false
73.250.35.113
 unknown United States
7922 COMCAST-7922US false
32.143.82.94
 unknown United States
7018 ATT-INTERNET4US false
76.251.40.162
 unknown United States
7018 ATT-INTERNET4US false
208.52.153.4
 unknown United States
22626 VCI-22626US false
14.108.217.117
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
183.41.239.45
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
176.131.97.133
 unknown France
5410 BOUYGTEL-ISPFR false
43.36.69.65
 unknown Japan 4249 LILLY-ASUS false
73.33.179.23
 unknown United States
7922 COMCAST-7922US false
2.86.93.252
 unknown Greece
6799 OTENET-GRAthens-GreeceGR false
164.171.204.251
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
115.13.47.220
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
130.180.210.162
 unknown Ukraine
31343 INTERTELECOMUA false
177.112.198.189
 unknown Brazil
26599 TELEFONICABRASILSABR false
166.103.15.250
 unknown Korea Republic of
7029 WINDSTREAMUS false
156.14.91.235
 unknown Italy
137 ASGARRConsortiumGARREU false
32.198.117.210
 unknown United States
2686 ATGS-MMD-ASUS false
148.125.59.177
 unknown United States
2119 TELENOR-NEXTELTelenorNorgeASNO false
40.93.122.158
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
108.127.33.16
 unknown United States
10507 SPCSUS false
120.140.255.84
 unknown Malaysia
45177 DEVOLI-AS-APDevoliNZ false
84.107.200.105
 unknown Netherlands
33915 TNF-ASNL false
2.106.168.48
 unknown Denmark
3292 TDCTDCASDK false
150.108.196.65
 unknown United States
32531 FORDHAM-UNIVERSITYUS false
204.156.18.99
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
13.51.123.170
 unknown United States
16509 AMAZON-02US false
71.20.93.194
 unknown United States
7029 WINDSTREAMUS false
74.93.248.194
 unknown United States
7922 COMCAST-7922US false
23.240.15.65
 unknown United States
20001 TWC-20001-PACWESTUS false
130.34.207.192
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
190.162.40.247
 unknown Chile
22047 VTRBANDAANCHASACL false
60.63.70.32
 unknown China
9812 CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN false
178.52.228.3
 unknown Syrian Arab Republic
29256 INT-PDN-STE-ASSTEPDNInternalASSY false
9.62.229.54
 unknown United States
3356 LEVEL3US false
197.146.254.207
 unknown Morocco
36884 MAROCCONNECTMA false
13.207.127.225
 unknown United States
7018 ATT-INTERNET4US false
184.38.86.44
 unknown United States
5778 CENTURYLINK-LEGACY-EMBARQ-RCMTUS false
2.15.132.102
 unknown France
3215 FranceTelecom-OrangeFR false
95.187.223.59
 unknown Saudi Arabia
39891 ALJAWWALSTC-ASSA false
149.53.234.146
 unknown United States
174 COGENT-174US false
197.185.70.91
 unknown South Africa
37105 NEOLOGY-ASZA false
118.123.103.248
 unknown China
38283 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData false
87.44.156.228
 unknown Ireland
1213 HEANETIE false
223.223.106.42
 unknown Japan 18144 AS-ENECOMEnergiaCommunicationsIncJP false
78.180.81.253
 unknown Turkey
9121 TTNETTR false
174.243.224.93
 unknown United States
22394 CELLCOUS false
207.5.2.91
 unknown United States
22646 HARCOM1US false
93.141.216.21
 unknown Croatia (LOCAL Name: Hrvatska)
5391 T-HTCroatianTelecomIncHR false
16.107.72.161
 unknown United States
unknown unknown false
31.17.181.253
 unknown Germany
31334 KABELDEUTSCHLAND-ASDE false
60.233.124.194
 unknown China
1221 ASN-TELSTRATelstraCorporationLtdAU false
193.162.116.56
 unknown Denmark
210210 REGION-MIDTJYLLAND-DK false
223.64.16.29
 unknown China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
125.8.172.81
 unknown Japan 9824 JTCL-JP-ASJupiterTelecommunicationCoLtdJP false
45.161.181.39
 unknown Argentina
266892 SEBECABLESRLAR false
174.47.121.216
 unknown United States
32419 BALDWIN-LYONSUS false