Linux Analysis Report
6e180puJTD

Overview

General Information

Sample Name: 6e180puJTD
Analysis ID: 680645
MD5: b19338343c7925b9ee1683f1371171f4
SHA1: 584b5f2f0dd993ab0e12869ec59f286174e31b18
SHA256: 091731e0f53b9f9b1c7d7c84b037c197b839949988d47aed4c8e23d6f3edaed5
Tags: 32elfmirairenesas
Infos:

Detection

Mirai
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Yara signature match
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 6e180puJTD Virustotal: Detection: 54% Perma Link
Source: 6e180puJTD ReversingLabs: Detection: 53%

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38666
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38670
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38686
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38698
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38708
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38726
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38742
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38752
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:35686 -> 208.67.106.33:1312
Sample listens on a socket
Source: /tmp/6e180puJTD (PID: 6229) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/6e180puJTD (PID: 6229) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/6e180puJTD (PID: 6229) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) Socket: 0.0.0.0::80 Jump to behavior
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 80.151.104.16
Source: unknown TCP traffic detected without corresponding DNS query: 1.218.67.62
Source: unknown TCP traffic detected without corresponding DNS query: 208.67.106.33
Source: unknown TCP traffic detected without corresponding DNS query: 211.109.125.239
Source: unknown TCP traffic detected without corresponding DNS query: 217.156.54.239
Source: unknown TCP traffic detected without corresponding DNS query: 198.133.153.239
Source: unknown TCP traffic detected without corresponding DNS query: 112.191.239.84
Source: unknown TCP traffic detected without corresponding DNS query: 9.65.211.238
Source: unknown TCP traffic detected without corresponding DNS query: 255.199.230.89
Source: unknown TCP traffic detected without corresponding DNS query: 115.13.254.117
Source: unknown TCP traffic detected without corresponding DNS query: 192.239.65.94
Source: unknown TCP traffic detected without corresponding DNS query: 201.200.11.61
Source: unknown TCP traffic detected without corresponding DNS query: 4.61.38.229
Source: unknown TCP traffic detected without corresponding DNS query: 104.176.233.191
Source: unknown TCP traffic detected without corresponding DNS query: 41.234.231.234
Source: unknown TCP traffic detected without corresponding DNS query: 191.214.182.44
Source: unknown TCP traffic detected without corresponding DNS query: 112.205.38.26
Source: unknown TCP traffic detected without corresponding DNS query: 47.105.236.120
Source: unknown TCP traffic detected without corresponding DNS query: 13.234.4.3
Source: unknown TCP traffic detected without corresponding DNS query: 121.124.195.15
Source: unknown TCP traffic detected without corresponding DNS query: 24.163.56.67
Source: unknown TCP traffic detected without corresponding DNS query: 99.26.8.125
Source: unknown TCP traffic detected without corresponding DNS query: 107.39.125.205
Source: unknown TCP traffic detected without corresponding DNS query: 205.137.221.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.96.21.175
Source: unknown TCP traffic detected without corresponding DNS query: 112.171.135.92
Source: unknown TCP traffic detected without corresponding DNS query: 190.27.231.27
Source: unknown TCP traffic detected without corresponding DNS query: 138.198.15.53
Source: unknown TCP traffic detected without corresponding DNS query: 19.57.20.104
Source: unknown TCP traffic detected without corresponding DNS query: 222.11.112.213
Source: unknown TCP traffic detected without corresponding DNS query: 46.173.176.166
Source: unknown TCP traffic detected without corresponding DNS query: 19.113.90.208
Source: unknown TCP traffic detected without corresponding DNS query: 201.64.243.183
Source: unknown TCP traffic detected without corresponding DNS query: 180.63.226.44
Source: unknown TCP traffic detected without corresponding DNS query: 161.23.181.198
Source: unknown TCP traffic detected without corresponding DNS query: 221.230.84.199
Source: unknown TCP traffic detected without corresponding DNS query: 119.195.113.201
Source: unknown TCP traffic detected without corresponding DNS query: 32.15.36.151
Source: unknown TCP traffic detected without corresponding DNS query: 169.127.204.159
Source: unknown TCP traffic detected without corresponding DNS query: 58.35.94.190
Source: unknown TCP traffic detected without corresponding DNS query: 145.149.88.112
Source: unknown TCP traffic detected without corresponding DNS query: 154.202.238.149
Source: unknown TCP traffic detected without corresponding DNS query: 35.20.122.151
Source: unknown TCP traffic detected without corresponding DNS query: 150.214.158.65
Source: unknown TCP traffic detected without corresponding DNS query: 82.174.6.191
Source: unknown TCP traffic detected without corresponding DNS query: 53.160.167.116
Source: unknown TCP traffic detected without corresponding DNS query: 71.155.51.73
Source: unknown TCP traffic detected without corresponding DNS query: 216.68.193.253
Source: unknown TCP traffic detected without corresponding DNS query: 223.87.130.201
Source: unknown TCP traffic detected without corresponding DNS query: 150.140.185.12

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6e180puJTD, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6e180puJTD, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/6e180puJTD (PID: 6229) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 6229, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 6237, result: successful Jump to behavior
Yara signature match
Source: 6e180puJTD, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6e180puJTD, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/6e180puJTD (PID: 6229) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 800, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 847, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2097, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2180, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2208, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2275, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2281, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2285, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2289, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 2294, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 6229, result: successful Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) SIGKILL sent: pid: 6237, result: successful Jump to behavior
Source: classification engine Classification label: mal80.spre.troj.lin@0/0@0/0
Enumerates processes within the "proc" file system
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/910/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/912/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/912/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/912/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/6229/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/759/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/759/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/759/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/517/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/918/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/918/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/918/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/6243/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/6242/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/4465/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/761/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/761/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/761/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/884/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/884/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/884/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1860/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/800/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/800/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/800/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/801/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/801/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/801/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/6237/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/491/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/491/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/491/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/772/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/772/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/772/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/774/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/774/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/774/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/654/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/896/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/655/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/777/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/777/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/777/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/656/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/657/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/658/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/658/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/658/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/936/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/936/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/936/fd Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/419/exe Jump to behavior
Source: /tmp/6e180puJTD (PID: 6235) File opened: /proc/1639/exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38666
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38670
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38686
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38698
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38708
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38726
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38742
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38752
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/6e180puJTD (PID: 6227) Queries kernel information via 'uname': Jump to behavior
Source: 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmp Binary or memory string: 7tU/sh4/0 /proc/491/fd/69!/proc/777/fd/22/sh4/pro1/proc/1335/exe/sh4/0!/proc/491/fd/70!/proc/777/fd/19/sh4/pro1/usr/bin/vmtoolsdh4/0!/proc/491/fd/71!/proc/777/fd/18/sh4/pro1/usr/bin/xiccd/sh4/0!/proc/491/fd/72!/proc/777/fd/17/sh4/pro1
Source: 6e180puJTD, 6227.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6229.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6230.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmp, 6e180puJTD, 6337.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6236.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6237.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: 6e180puJTD, 6227.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6229.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6230.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6337.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6236.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6237.1.0000557437795000.00005574377f8000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4
Source: 6e180puJTD, 6227.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6229.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6230.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6337.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6236.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6237.1.0000557437795000.00005574377f8000.rw-.sdmp Binary or memory string: uy7tU5!/etc/qemu-binfmt/sh4
Source: 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmp Binary or memory string: 7tU/sh4/ro10 /usr/bin/qemu-sh4!/proc/799/fd/01
Source: 6e180puJTD, 6227.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6229.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6230.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6337.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6236.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6237.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/6e180puJTDSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6e180puJTD

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6e180puJTD, type: SAMPLE
Source: Yara match File source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6e180puJTD, type: SAMPLE
Source: Yara match File source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
241.48.61.17
 unknown Reserved
unknown unknown false
202.4.16.34
 unknown New Zealand
7306 ASIANDEVBANKUS false
92.218.193.231
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
111.45.222.204
 unknown China
56044 CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC false
213.154.66.80
 unknown Senegal
8346 SONATEL-ASAutonomousSystemEU false
170.167.20.34
 unknown United States
19739 COUNTY-SANBERNARDINOUS false
23.57.232.20
 unknown United States
16625 AKAMAI-ASUS false
94.72.180.46
 unknown Bulgaria
42735 MAXTELECOM-ASBG false
152.53.64.70
 unknown United States
81 NCRENUS false
181.254.19.203
 unknown Colombia
26611 COMCELSACO false
112.198.124.93
 unknown Philippines
132199 GLOBE-MOBILE-5TH-GEN-ASGlobeTelecomIncPH false
42.32.216.135
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
216.253.193.160
 unknown United States
3549 LVLT-3549US false
255.25.47.63
 unknown Reserved
unknown unknown false
116.75.187.136
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN false
152.140.145.146
 unknown United States
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
136.114.115.150
 unknown United States
15169 GOOGLEUS false
61.199.87.85
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
121.243.246.239
 unknown India
17908 TCISLTataCommunicationsIN false
201.236.67.216
 unknown Chile
15311 TelefonicaEmpresasCL false
105.219.30.248
 unknown South Africa
16637 MTNNS-ASZA false
211.228.82.203
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
23.211.33.0
 unknown United States
20940 AKAMAI-ASN1EU false
54.62.178.249
 unknown United States
14618 AMAZON-AESUS false
106.8.250.67
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
245.43.211.188
 unknown Reserved
unknown unknown false
240.188.31.120
 unknown Reserved
unknown unknown false
53.84.230.224
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
89.166.205.104
 unknown Germany
9145 EWETELCloppenburgerStrasse310DE false
211.238.83.67
 unknown Korea Republic of
9976 ICNDP-AS-KRNamincheonBrodcastingCoLtdKR false
248.231.5.213
 unknown Reserved
unknown unknown false
181.199.34.216
 unknown Ecuador
27947 TelconetSAEC false
212.182.0.33
 unknown Poland
12324 LUBMAN-EDU-ASPolandLublinPL false
99.25.205.72
 unknown United States
7018 ATT-INTERNET4US false
162.47.196.174
 unknown United States
3378 MCI-ASNUS false
221.135.3.139
 unknown India
9583 SIFY-AS-INSifyLimitedIN false
107.239.142.218
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
148.171.245.152
 unknown United States
397879 LUMINATE-01US false
194.6.220.151
 unknown Russian Federation
197498 VERBETA-ASRU false
170.249.28.22
 unknown United States
46208 PFNL-ASNUS false
161.87.168.161
 unknown Netherlands
14298 EPA-NETUS false
182.223.152.232
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
149.166.36.96
 unknown United States
87 INDIANA-ASUS false
160.248.62.68
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
69.43.190.255
 unknown United States
22489 ZCOLO-SAN01US false
180.149.166.204
 unknown Japan 4721 JCNJupiterTelecommunicationsCoLtdJP false
27.168.199.202
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
12.202.34.160
 unknown United States
22983 FISERV-INCUS false
90.39.150.123
 unknown France
3215 FranceTelecom-OrangeFR false
190.72.15.38
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE false
223.1.225.83
 unknown China
63555 CNBIDCCBeijingBeilongYunhaiNetworkDataTechnologyCorpo false
154.50.90.162
 unknown United States
174 COGENT-174US false
107.164.228.73
 unknown United States
18779 EGIHOSTINGUS false
153.237.4.55
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
20.58.232.198
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
242.167.10.248
 unknown Reserved
unknown unknown false
198.154.232.182
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
80.119.148.81
 unknown France
15557 LDCOMNETFR false
159.11.199.53
 unknown United States
16983 AS16983US false
135.89.233.67
 unknown United States
10455 LUCENT-CIOUS false
9.172.236.202
 unknown United States
3356 LEVEL3US false
146.120.215.100
 unknown Czech Republic
61240 SKYNET2010-ASUA false
178.245.89.170
 unknown Turkey
16135 TURKCELL-ASTurkcellASTR false
123.46.180.186
 unknown Korea Republic of
6619 SAMSUNGSDS-AS-KRSamsungSDSIncKR false
153.178.204.6
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
39.114.213.225
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
12.247.187.54
 unknown United States
7018 ATT-INTERNET4US false
71.211.10.242
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
167.27.235.115
 unknown United States
7838 USAAUS false
2.145.36.98
 unknown Iran (ISLAMIC Republic Of)
44244 IRANCELL-ASIR false
210.194.84.73
 unknown Japan 9824 JTCL-JP-ASJupiterTelecommunicationCoLtdJP false
246.109.35.156
 unknown Reserved
unknown unknown false
200.102.192.29
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
69.119.225.193
 unknown United States
6128 CABLE-NET-1US false
58.107.214.72
 unknown Australia
4804 MPX-ASMicroplexPTYLTDAU false
141.201.90.37
 unknown Austria
1109 UNI-SALZBURGUniversityofSalzburgAT false
66.157.86.21
 unknown United States
6389 BELLSOUTH-NET-BLKUS false
141.95.237.110
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
201.166.226.252
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX false
67.24.66.23
 unknown United States
202818 LEVEL3COMMUNICATIONSFR false
37.55.245.82
 unknown Ukraine
6849 UKRTELNETUA false
89.59.121.171
 unknown Germany
5430 FREENETDEfreenetDatenkommunikationsGmbHDE false
175.183.201.54
 unknown Taiwan; Republic of China (ROC)
18049 TINP-TWTaiwanInfrastructureNetworkTechnologieTW false
254.14.236.113
 unknown Reserved
unknown unknown false
184.85.6.114
 unknown United States
16625 AKAMAI-ASUS false
184.209.135.95
 unknown United States
10507 SPCSUS false
107.114.209.29
 unknown United States
7018 ATT-INTERNET4US false
173.73.28.233
 unknown United States
701 UUNETUS false
251.157.26.163
 unknown Reserved
unknown unknown false
73.108.225.174
 unknown United States
7922 COMCAST-7922US false
92.33.148.109
 unknown Sweden
2119 TELENOR-NEXTELTelenorNorgeASNO false
141.166.179.222
 unknown United States
20105 URICHMONDUS false
46.118.113.132
 unknown Ukraine
15895 KSNET-ASUA false
242.215.49.122
 unknown Reserved
unknown unknown false
163.178.130.139
 unknown Costa Rica
11830 InstitutoCostarricensedeElectricidadyTelecomCR false
41.35.35.120
 unknown Egypt
8452 TE-ASTE-ASEG false
152.253.191.168
 unknown Brazil
26599 TELEFONICABRASILSABR false
75.203.185.46
 unknown United States
22394 CELLCOUS false
199.52.203.174
 unknown United States
398192 ARDOT-NET-01US false
12.189.115.9
 unknown United States
7018 ATT-INTERNET4US false