Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
6e180puJTD

Overview

General Information

Sample Name:6e180puJTD
Analysis ID:680645
MD5:b19338343c7925b9ee1683f1371171f4
SHA1:584b5f2f0dd993ab0e12869ec59f286174e31b18
SHA256:091731e0f53b9f9b1c7d7c84b037c197b839949988d47aed4c8e23d6f3edaed5
Tags:32elfmirairenesas
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Yara signature match
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:680645
Start date and time: 08/08/202223:11:372022-08-08 23:11:37 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 44s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:6e180puJTD
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal80.spre.troj.lin@0/0@0/0

Warnings

  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100

Runtime Messages

Command:/tmp/6e180puJTD
PID:6227
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:

Process Tree

  • system is lnxubuntu20
  • 6e180puJTD (PID: 6227, Parent: 6121, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/6e180puJTD
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6e180puJTDJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    6e180puJTDLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0xdf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdfa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdfb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdfc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdfdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xdff0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe004:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe018:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe02c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe040:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe054:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe07c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe090:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe0a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe0b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe0cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe0e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe0f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    6e180puJTDLinux_Trojan_Gafgyt_ea92cca8unknownunknown
    • 0xe4bc:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xdf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdff0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe004:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe018:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe02c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe040:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe054:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe07c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe090:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0xe4bc:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xdf64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdf78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdf8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdfdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xdff0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe004:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe018:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe02c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe040:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe054:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe07c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe090:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xe0f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          Click to see the 25 entries

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 6e180puJTDVirustotal: Detection: 54%Perma Link
          Source: 6e180puJTDReversingLabs: Detection: 53%

          Networking

          barindex
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38666
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38670
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38678
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38686
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38698
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38708
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38718
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38726
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38742
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38752
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:35686 -> 208.67.106.33:1312
          Source: /tmp/6e180puJTD (PID: 6229)Socket: 0.0.0.0::0
          Source: /tmp/6e180puJTD (PID: 6229)Socket: 0.0.0.0::53413
          Source: /tmp/6e180puJTD (PID: 6229)Socket: 0.0.0.0::80
          Source: /tmp/6e180puJTD (PID: 6235)Socket: 0.0.0.0::0
          Source: /tmp/6e180puJTD (PID: 6235)Socket: 0.0.0.0::53413
          Source: /tmp/6e180puJTD (PID: 6235)Socket: 0.0.0.0::80
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
          Source: unknownTCP traffic detected without corresponding DNS query: 80.151.104.16
          Source: unknownTCP traffic detected without corresponding DNS query: 1.218.67.62
          Source: unknownTCP traffic detected without corresponding DNS query: 208.67.106.33
          Source: unknownTCP traffic detected without corresponding DNS query: 211.109.125.239
          Source: unknownTCP traffic detected without corresponding DNS query: 217.156.54.239
          Source: unknownTCP traffic detected without corresponding DNS query: 198.133.153.239
          Source: unknownTCP traffic detected without corresponding DNS query: 112.191.239.84
          Source: unknownTCP traffic detected without corresponding DNS query: 9.65.211.238
          Source: unknownTCP traffic detected without corresponding DNS query: 255.199.230.89
          Source: unknownTCP traffic detected without corresponding DNS query: 115.13.254.117
          Source: unknownTCP traffic detected without corresponding DNS query: 192.239.65.94
          Source: unknownTCP traffic detected without corresponding DNS query: 201.200.11.61
          Source: unknownTCP traffic detected without corresponding DNS query: 4.61.38.229
          Source: unknownTCP traffic detected without corresponding DNS query: 104.176.233.191
          Source: unknownTCP traffic detected without corresponding DNS query: 41.234.231.234
          Source: unknownTCP traffic detected without corresponding DNS query: 191.214.182.44
          Source: unknownTCP traffic detected without corresponding DNS query: 112.205.38.26
          Source: unknownTCP traffic detected without corresponding DNS query: 47.105.236.120
          Source: unknownTCP traffic detected without corresponding DNS query: 13.234.4.3
          Source: unknownTCP traffic detected without corresponding DNS query: 121.124.195.15
          Source: unknownTCP traffic detected without corresponding DNS query: 24.163.56.67
          Source: unknownTCP traffic detected without corresponding DNS query: 99.26.8.125
          Source: unknownTCP traffic detected without corresponding DNS query: 107.39.125.205
          Source: unknownTCP traffic detected without corresponding DNS query: 205.137.221.173
          Source: unknownTCP traffic detected without corresponding DNS query: 190.96.21.175
          Source: unknownTCP traffic detected without corresponding DNS query: 112.171.135.92
          Source: unknownTCP traffic detected without corresponding DNS query: 190.27.231.27
          Source: unknownTCP traffic detected without corresponding DNS query: 138.198.15.53
          Source: unknownTCP traffic detected without corresponding DNS query: 19.57.20.104
          Source: unknownTCP traffic detected without corresponding DNS query: 222.11.112.213
          Source: unknownTCP traffic detected without corresponding DNS query: 46.173.176.166
          Source: unknownTCP traffic detected without corresponding DNS query: 19.113.90.208
          Source: unknownTCP traffic detected without corresponding DNS query: 201.64.243.183
          Source: unknownTCP traffic detected without corresponding DNS query: 180.63.226.44
          Source: unknownTCP traffic detected without corresponding DNS query: 161.23.181.198
          Source: unknownTCP traffic detected without corresponding DNS query: 221.230.84.199
          Source: unknownTCP traffic detected without corresponding DNS query: 119.195.113.201
          Source: unknownTCP traffic detected without corresponding DNS query: 32.15.36.151
          Source: unknownTCP traffic detected without corresponding DNS query: 169.127.204.159
          Source: unknownTCP traffic detected without corresponding DNS query: 58.35.94.190
          Source: unknownTCP traffic detected without corresponding DNS query: 145.149.88.112
          Source: unknownTCP traffic detected without corresponding DNS query: 154.202.238.149
          Source: unknownTCP traffic detected without corresponding DNS query: 35.20.122.151
          Source: unknownTCP traffic detected without corresponding DNS query: 150.214.158.65
          Source: unknownTCP traffic detected without corresponding DNS query: 82.174.6.191
          Source: unknownTCP traffic detected without corresponding DNS query: 53.160.167.116
          Source: unknownTCP traffic detected without corresponding DNS query: 71.155.51.73
          Source: unknownTCP traffic detected without corresponding DNS query: 216.68.193.253
          Source: unknownTCP traffic detected without corresponding DNS query: 223.87.130.201
          Source: unknownTCP traffic detected without corresponding DNS query: 150.140.185.12

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 6e180puJTD, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6e180puJTD, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Sample tries to kill multiple processes (SIGKILL)
          Source: /tmp/6e180puJTD (PID: 6229)SIGKILL sent: pid: 936, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 936, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 720, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 759, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 788, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 800, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 847, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 884, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1334, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1335, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1860, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1872, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2096, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2097, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2102, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2180, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2208, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2275, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2281, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2285, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2289, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2294, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 6229, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 6237, result: successful
          Source: 6e180puJTD, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6e180puJTD, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6227, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6229, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6236, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6237, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: 6e180puJTD PID: 6337, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: /tmp/6e180puJTD (PID: 6229)SIGKILL sent: pid: 936, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 936, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 720, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 759, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 788, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 800, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 847, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 884, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1334, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1335, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1860, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 1872, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2096, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2097, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2102, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2180, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2208, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2275, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2281, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2285, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2289, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 2294, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 6229, result: successful
          Source: /tmp/6e180puJTD (PID: 6235)SIGKILL sent: pid: 6237, result: successful
          Source: classification engineClassification label: mal80.spre.troj.lin@0/0@0/0
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1582/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2033/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2275/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/3088/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1612/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1579/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1699/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1335/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1698/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2028/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1334/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1576/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2302/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/3236/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2025/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2146/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/910/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/912/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/912/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/912/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/6229/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/759/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/759/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/759/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/517/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2307/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/918/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/918/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/918/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/6243/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/6242/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/4465/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1594/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2285/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2281/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1349/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1623/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/761/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/761/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/761/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1622/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/884/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/884/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/884/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1983/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2038/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1344/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1465/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1586/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1860/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1463/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2156/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/800/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/800/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/800/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/801/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/801/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/801/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/6237/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1629/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1627/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1900/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/3021/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/491/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/491/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/491/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2294/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2050/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1877/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/772/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/772/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/772/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1633/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1599/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1632/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/774/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/774/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/774/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1477/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/654/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/896/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1476/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1872/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2048/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/655/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1475/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/2289/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/777/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/777/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/777/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/656/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/657/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/4466/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/658/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/658/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/658/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/4467/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/4468/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/936/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/936/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/936/fd
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/419/exe
          Source: /tmp/6e180puJTD (PID: 6235)File opened: /proc/1639/exe

          Hooking and other Techniques for Hiding and Protection

          barindex
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38666
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38670
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38678
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38686
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38698
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38708
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38718
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38726
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38742
          Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 38752
          Source: /tmp/6e180puJTD (PID: 6227)Queries kernel information via 'uname':
          Source: 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmpBinary or memory string: 7tU/sh4/0 /proc/491/fd/69!/proc/777/fd/22/sh4/pro1/proc/1335/exe/sh4/0!/proc/491/fd/70!/proc/777/fd/19/sh4/pro1/usr/bin/vmtoolsdh4/0!/proc/491/fd/71!/proc/777/fd/18/sh4/pro1/usr/bin/xiccd/sh4/0!/proc/491/fd/72!/proc/777/fd/17/sh4/pro1
          Source: 6e180puJTD, 6227.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6229.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6230.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmp, 6e180puJTD, 6337.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6236.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6237.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
          Source: 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
          Source: 6e180puJTD, 6227.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6229.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6230.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6337.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6236.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6237.1.0000557437795000.00005574377f8000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
          Source: 6e180puJTD, 6227.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6229.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6230.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6337.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6236.1.0000557437795000.00005574377f8000.rw-.sdmp, 6e180puJTD, 6237.1.0000557437795000.00005574377f8000.rw-.sdmpBinary or memory string: uy7tU5!/etc/qemu-binfmt/sh4
          Source: 6e180puJTD, 6337.1.00005574377f8000.0000557437818000.rw-.sdmpBinary or memory string: 7tU/sh4/ro10 /usr/bin/qemu-sh4!/proc/799/fd/01
          Source: 6e180puJTD, 6227.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6229.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6230.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6337.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6236.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmp, 6e180puJTD, 6237.1.00007ffd5f8a3000.00007ffd5f8c4000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/6e180puJTDSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6e180puJTD

          Stealing of Sensitive Information

          barindex
          Yara detected Mirai
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 6e180puJTD, type: SAMPLE
          Source: Yara matchFile source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Mirai
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 6e180puJTD, type: SAMPLE
          Source: Yara matchFile source: 6337.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6237.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6230.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6227.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6236.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6229.1.00007f87d0400000.00007f87d0410000.r-x.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
          OS Credential Dumping          		11
          Security Software Discovery          		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          Service Stop
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

          Malware Configuration

          No configs have been found

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680645 Sample: 6e180puJTD Startdate: 08/08/2022 Architecture: LINUX Score: 80 29 69.43.190.255 ZCOLO-SAN01US United States 2->29 31 92.218.193.231 VODANETInternationalIP-BackboneofVodafoneDE Germany 2->31 33 98 other IPs or domains 2->33 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Mirai 2->41 43 Uses known network protocols on non-standard ports 2->43 9 6e180puJTD 2->9         started        signatures3 process4 process5 11 6e180puJTD 9->11         started        13 6e180puJTD 9->13         started        16 6e180puJTD 9->16         started        signatures6 18 6e180puJTD 11->18         started        21 6e180puJTD 11->21         started        23 6e180puJTD 11->23         started        45 Sample tries to kill multiple processes (SIGKILL) 13->45 process7 signatures8 35 Sample tries to kill multiple processes (SIGKILL) 18->35 25 6e180puJTD 18->25         started        27 6e180puJTD 18->27         started        process9

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          6e180puJTD54%VirustotalBrowse
          6e180puJTD54%ReversingLabsLinux.Trojan.Mirai

          Dropped Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          241.48.61.17
          		unknownReserved
          		unknownunknownfalse
          202.4.16.34
          		unknownNew Zealand
          		7306ASIANDEVBANKUSfalse
          92.218.193.231
          		unknownGermany
          		3209VODANETInternationalIP-BackboneofVodafoneDEfalse
          111.45.222.204
          		unknownChina
          		56044CMNET-AS-LIAONINGChinaMobilecommunicationscorporationCfalse
          213.154.66.80
          		unknownSenegal
          		8346SONATEL-ASAutonomousSystemEUfalse
          170.167.20.34
          		unknownUnited States
          		19739COUNTY-SANBERNARDINOUSfalse
          23.57.232.20
          		unknownUnited States
          		16625AKAMAI-ASUSfalse
          94.72.180.46
          		unknownBulgaria
          		42735MAXTELECOM-ASBGfalse
          152.53.64.70
          		unknownUnited States
          		81NCRENUSfalse
          181.254.19.203
          		unknownColombia
          		26611COMCELSACOfalse
          112.198.124.93
          		unknownPhilippines
          		132199GLOBE-MOBILE-5TH-GEN-ASGlobeTelecomIncPHfalse
          42.32.216.135
          		unknownKorea Republic of
          		9644SKTELECOM-NET-ASSKTelecomKRfalse
          216.253.193.160
          		unknownUnited States
          		3549LVLT-3549USfalse
          255.25.47.63
          		unknownReserved
          		unknownunknownfalse
          116.75.187.136
          		unknownIndia
          		17488HATHWAY-NET-APHathwayIPOverCableInternetINfalse
          152.140.145.146
          		unknownUnited States
          		45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompafalse
          136.114.115.150
          		unknownUnited States
          		15169GOOGLEUSfalse
          61.199.87.85
          		unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
          121.243.246.239
          		unknownIndia
          		17908TCISLTataCommunicationsINfalse
          201.236.67.216
          		unknownChile
          		15311TelefonicaEmpresasCLfalse
          105.219.30.248
          		unknownSouth Africa
          		16637MTNNS-ASZAfalse
          211.228.82.203
          		unknownKorea Republic of
          		4766KIXS-AS-KRKoreaTelecomKRfalse
          23.211.33.0
          		unknownUnited States
          		20940AKAMAI-ASN1EUfalse
          54.62.178.249
          		unknownUnited States
          		14618AMAZON-AESUSfalse
          106.8.250.67
          		unknownChina
          		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
          245.43.211.188
          		unknownReserved
          		unknownunknownfalse
          240.188.31.120
          		unknownReserved
          		unknownunknownfalse
          53.84.230.224
          		unknownGermany
          		31399DAIMLER-ASITIGNGlobalNetworkDEfalse
          89.166.205.104
          		unknownGermany
          		9145EWETELCloppenburgerStrasse310DEfalse
          211.238.83.67
          		unknownKorea Republic of
          		9976ICNDP-AS-KRNamincheonBrodcastingCoLtdKRfalse
          248.231.5.213
          		unknownReserved
          		unknownunknownfalse
          181.199.34.216
          		unknownEcuador
          		27947TelconetSAECfalse
          212.182.0.33
          		unknownPoland
          		12324LUBMAN-EDU-ASPolandLublinPLfalse
          99.25.205.72
          		unknownUnited States
          		7018ATT-INTERNET4USfalse
          162.47.196.174
          		unknownUnited States
          		3378MCI-ASNUSfalse
          221.135.3.139
          		unknownIndia
          		9583SIFY-AS-INSifyLimitedINfalse
          107.239.142.218
          		unknownUnited States
          		20057ATT-MOBILITY-LLC-AS20057USfalse
          148.171.245.152
          		unknownUnited States
          		397879LUMINATE-01USfalse
          194.6.220.151
          		unknownRussian Federation
          		197498VERBETA-ASRUfalse
          170.249.28.22
          		unknownUnited States
          		46208PFNL-ASNUSfalse
          161.87.168.161
          		unknownNetherlands
          		14298EPA-NETUSfalse
          182.223.152.232
          		unknownKorea Republic of
          		17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
          149.166.36.96
          		unknownUnited States
          		87INDIANA-ASUSfalse
          160.248.62.68
          		unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
          69.43.190.255
          		unknownUnited States
          		22489ZCOLO-SAN01USfalse
          180.149.166.204
          		unknownJapan4721JCNJupiterTelecommunicationsCoLtdJPfalse
          27.168.199.202
          		unknownKorea Republic of
          		9644SKTELECOM-NET-ASSKTelecomKRfalse
          12.202.34.160
          		unknownUnited States
          		22983FISERV-INCUSfalse
          90.39.150.123
          		unknownFrance
          		3215FranceTelecom-OrangeFRfalse
          190.72.15.38
          		unknownVenezuela
          		8048CANTVServiciosVenezuelaVEfalse
          223.1.225.83
          		unknownChina
          		63555CNBIDCCBeijingBeilongYunhaiNetworkDataTechnologyCorpofalse
          154.50.90.162
          		unknownUnited States
          		174COGENT-174USfalse
          107.164.228.73
          		unknownUnited States
          		18779EGIHOSTINGUSfalse
          153.237.4.55
          		unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
          20.58.232.198
          		unknownUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          242.167.10.248
          		unknownReserved
          		unknownunknownfalse
          198.154.232.182
          		unknownUnited States
          		46606UNIFIEDLAYER-AS-1USfalse
          80.119.148.81
          		unknownFrance
          		15557LDCOMNETFRfalse
          159.11.199.53
          		unknownUnited States
          		16983AS16983USfalse
          135.89.233.67
          		unknownUnited States
          		10455LUCENT-CIOUSfalse
          9.172.236.202
          		unknownUnited States
          		3356LEVEL3USfalse
          146.120.215.100
          		unknownCzech Republic
          		61240SKYNET2010-ASUAfalse
          178.245.89.170
          		unknownTurkey
          		16135TURKCELL-ASTurkcellASTRfalse
          123.46.180.186
          		unknownKorea Republic of
          		6619SAMSUNGSDS-AS-KRSamsungSDSIncKRfalse
          153.178.204.6
          		unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
          39.114.213.225
          		unknownKorea Republic of
          		9318SKB-ASSKBroadbandCoLtdKRfalse
          12.247.187.54
          		unknownUnited States
          		7018ATT-INTERNET4USfalse
          71.211.10.242
          		unknownUnited States
          		209CENTURYLINK-US-LEGACY-QWESTUSfalse
          167.27.235.115
          		unknownUnited States
          		7838USAAUSfalse
          2.145.36.98
          		unknownIran (ISLAMIC Republic Of)
          		44244IRANCELL-ASIRfalse
          210.194.84.73
          		unknownJapan9824JTCL-JP-ASJupiterTelecommunicationCoLtdJPfalse
          246.109.35.156
          		unknownReserved
          		unknownunknownfalse
          200.102.192.29
          		unknownBrazil
          		8167BrasilTelecomSA-FilialDistritoFederalBRfalse
          69.119.225.193
          		unknownUnited States
          		6128CABLE-NET-1USfalse
          58.107.214.72
          		unknownAustralia
          		4804MPX-ASMicroplexPTYLTDAUfalse
          141.201.90.37
          		unknownAustria
          		1109UNI-SALZBURGUniversityofSalzburgATfalse
          66.157.86.21
          		unknownUnited States
          		6389BELLSOUTH-NET-BLKUSfalse
          141.95.237.110
          		unknownGermany
          		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
          201.166.226.252
          		unknownMexico
          		11888TelevisionInternacionalSAdeCVMXfalse
          67.24.66.23
          		unknownUnited States
          		202818LEVEL3COMMUNICATIONSFRfalse
          37.55.245.82
          		unknownUkraine
          		6849UKRTELNETUAfalse
          89.59.121.171
          		unknownGermany
          		5430FREENETDEfreenetDatenkommunikationsGmbHDEfalse
          175.183.201.54
          		unknownTaiwan; Republic of China (ROC)
          		18049TINP-TWTaiwanInfrastructureNetworkTechnologieTWfalse
          254.14.236.113
          		unknownReserved
          		unknownunknownfalse
          184.85.6.114
          		unknownUnited States
          		16625AKAMAI-ASUSfalse
          184.209.135.95
          		unknownUnited States
          		10507SPCSUSfalse
          107.114.209.29
          		unknownUnited States
          		7018ATT-INTERNET4USfalse
          173.73.28.233
          		unknownUnited States
          		701UUNETUSfalse
          251.157.26.163
          		unknownReserved
          		unknownunknownfalse
          73.108.225.174
          		unknownUnited States
          		7922COMCAST-7922USfalse
          92.33.148.109
          		unknownSweden
          		2119TELENOR-NEXTELTelenorNorgeASNOfalse
          141.166.179.222
          		unknownUnited States
          		20105URICHMONDUSfalse
          46.118.113.132
          		unknownUkraine
          		15895KSNET-ASUAfalse
          242.215.49.122
          		unknownReserved
          		unknownunknownfalse
          163.178.130.139
          		unknownCosta Rica
          		11830InstitutoCostarricensedeElectricidadyTelecomCRfalse
          41.35.35.120
          		unknownEgypt
          		8452TE-ASTE-ASEGfalse
          152.253.191.168
          		unknownBrazil
          		26599TELEFONICABRASILSABRfalse
          75.203.185.46
          		unknownUnited States
          		22394CELLCOUSfalse
          199.52.203.174
          		unknownUnited States
          		398192ARDOT-NET-01USfalse
          12.189.115.9
          		unknownUnited States
          		7018ATT-INTERNET4USfalse

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
          Entropy (8bit):6.776759926089661
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:6e180puJTD
          File size:63480
          MD5:b19338343c7925b9ee1683f1371171f4
          SHA1:584b5f2f0dd993ab0e12869ec59f286174e31b18
          SHA256:091731e0f53b9f9b1c7d7c84b037c197b839949988d47aed4c8e23d6f3edaed5
          SHA512:4366eae63878492ddbb82a20ab2a90eec1f2387efcc5fbee67512fa17748222b41ecf8e3430f4d7b82f9ef1ae8452a51d94008491fc647eb3a50ca26aabb1dfb
          SSDEEP:1536:ragXV1f1Fl/wtkniPQauiufs3Ii3O/qyD6EZeCc:r57f1b/0QHf+Iey6EZe
          TLSH:1D538D75D12DAEA8C0414AB4A9198E704F13E4C046733EF7EA9587A68443DBCF858FF8
          File Content Preview:.ELF..............*.......@.4...h.......4. ...(...............@...@...........................A...A.$...............Q.td............................././"O.n........#.*@........#.*@L....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

          Static ELF Info

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:<unknown>
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - System V
          ABI Version:0
          Entry Point Address:0x4001a0
          Flags:0x9
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:3
          Section Header Offset:63080
          Section Header Size:40
          Number of Section Headers:10
          Header String Table Index:9

          Sections

          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
          NULL0x00x00x00x00x0000
          .initPROGBITS0x4000940x940x300x00x6AX004
          .textPROGBITS0x4000e00xe00xde600x00x6AX0032
          .finiPROGBITS0x40df400xdf400x240x00x6AX004
          .rodataPROGBITS0x40df640xdf640x149c0x00x2A004
          .ctorsPROGBITS0x41f4040xf4040x80x00x3WA004
          .dtorsPROGBITS0x41f40c0xf40c0x80x00x3WA004
          .dataPROGBITS0x41f4180xf4180x2100x00x3WA004
          .bssNOBITS0x41f6280xf6280x2800x00x3WA004
          .shstrtabSTRTAB0x00xf6280x3e0x00x0001

          Program Segments

          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x4000000x4000000xf4000xf4006.81330x5R E0x10000.init .text .fini .rodata
          LOAD0xf4040x41f4040x41f4040x2240x4a42.95460x6RW 0x10000.ctors .dtors .data .bss
          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 8, 2022 23:17:50.092096090 CEST236024280.151.104.16192.168.2.23
          Aug 8, 2022 23:17:50.092271090 CEST6024223192.168.2.2380.151.104.16
          Aug 8, 2022 23:17:51.554292917 CEST23435281.218.67.62192.168.2.23
          Aug 8, 2022 23:17:51.554444075 CEST4352823192.168.2.231.218.67.62
          Aug 8, 2022 23:17:52.460179090 CEST356861312192.168.2.23208.67.106.33
          Aug 8, 2022 23:17:52.469990015 CEST6434823192.168.2.23211.109.125.239
          Aug 8, 2022 23:17:52.470042944 CEST6434823192.168.2.23217.156.54.239
          Aug 8, 2022 23:17:52.470091105 CEST6434823192.168.2.23198.133.153.239
          Aug 8, 2022 23:17:52.470101118 CEST6434823192.168.2.23112.191.239.84
          Aug 8, 2022 23:17:52.470102072 CEST6434823192.168.2.239.65.211.238
          Aug 8, 2022 23:17:52.470151901 CEST6434823192.168.2.23255.199.230.89
          Aug 8, 2022 23:17:52.470155001 CEST6434823192.168.2.23115.13.254.117
          Aug 8, 2022 23:17:52.470158100 CEST6434823192.168.2.23192.239.65.94
          Aug 8, 2022 23:17:52.470339060 CEST6434823192.168.2.23201.200.11.61
          Aug 8, 2022 23:17:52.470675945 CEST6434823192.168.2.234.61.38.229
          Aug 8, 2022 23:17:52.470710993 CEST6434823192.168.2.23104.176.233.191
          Aug 8, 2022 23:17:52.470752954 CEST6434823192.168.2.2341.234.231.234
          Aug 8, 2022 23:17:52.470761061 CEST6434823192.168.2.23191.214.182.44
          Aug 8, 2022 23:17:52.470771074 CEST6434823192.168.2.23112.205.38.26
          Aug 8, 2022 23:17:52.470804930 CEST6434823192.168.2.2347.105.236.120
          Aug 8, 2022 23:17:52.470810890 CEST6434823192.168.2.2313.234.4.3
          Aug 8, 2022 23:17:52.470817089 CEST6434823192.168.2.23121.124.195.15
          Aug 8, 2022 23:17:52.470837116 CEST6434823192.168.2.2324.163.56.67
          Aug 8, 2022 23:17:52.470841885 CEST6434823192.168.2.2399.26.8.125
          Aug 8, 2022 23:17:52.470844030 CEST6434823192.168.2.23107.39.125.205
          Aug 8, 2022 23:17:52.470848083 CEST6434823192.168.2.23205.137.221.173
          Aug 8, 2022 23:17:52.470868111 CEST6434823192.168.2.23190.96.21.175
          Aug 8, 2022 23:17:52.470884085 CEST6434823192.168.2.23112.171.135.92
          Aug 8, 2022 23:17:52.470942020 CEST6434823192.168.2.23190.27.231.27
          Aug 8, 2022 23:17:52.470979929 CEST6434823192.168.2.23138.198.15.53
          Aug 8, 2022 23:17:52.470979929 CEST6434823192.168.2.2319.57.20.104
          Aug 8, 2022 23:17:52.470978975 CEST6434823192.168.2.23222.11.112.213
          Aug 8, 2022 23:17:52.470983028 CEST6434823192.168.2.2346.173.176.166
          Aug 8, 2022 23:17:52.470984936 CEST6434823192.168.2.2319.113.90.208
          Aug 8, 2022 23:17:52.470999956 CEST6434823192.168.2.23201.64.243.183
          Aug 8, 2022 23:17:52.471004009 CEST6434823192.168.2.23180.63.226.44
          Aug 8, 2022 23:17:52.471004009 CEST6434823192.168.2.23161.23.181.198
          Aug 8, 2022 23:17:52.471013069 CEST6434823192.168.2.23221.230.84.199
          Aug 8, 2022 23:17:52.471035004 CEST6434823192.168.2.23119.195.113.201
          Aug 8, 2022 23:17:52.471040010 CEST6434823192.168.2.2332.15.36.151
          Aug 8, 2022 23:17:52.471045971 CEST6434823192.168.2.23169.127.204.159
          Aug 8, 2022 23:17:52.471066952 CEST6434823192.168.2.2358.35.94.190
          Aug 8, 2022 23:17:52.471071005 CEST6434823192.168.2.23145.149.88.112
          Aug 8, 2022 23:17:52.471082926 CEST6434823192.168.2.23154.202.238.149
          Aug 8, 2022 23:17:52.471127987 CEST6434823192.168.2.2335.20.122.151
          Aug 8, 2022 23:17:52.471210957 CEST6434823192.168.2.23150.214.158.65
          Aug 8, 2022 23:17:52.471220970 CEST6434823192.168.2.2382.174.6.191
          Aug 8, 2022 23:17:52.471226931 CEST6434823192.168.2.2353.160.167.116
          Aug 8, 2022 23:17:52.471226931 CEST6434823192.168.2.2371.155.51.73
          Aug 8, 2022 23:17:52.471251965 CEST6434823192.168.2.23216.68.193.253
          Aug 8, 2022 23:17:52.471255064 CEST6434823192.168.2.23223.87.130.201
          Aug 8, 2022 23:17:52.471256971 CEST6434823192.168.2.23150.140.185.12
          Aug 8, 2022 23:17:52.471277952 CEST6434823192.168.2.2359.246.29.103
          Aug 8, 2022 23:17:52.471280098 CEST6434823192.168.2.23162.15.128.230
          Aug 8, 2022 23:17:52.471288919 CEST6434823192.168.2.23217.6.18.236
          Aug 8, 2022 23:17:52.471292973 CEST6434823192.168.2.2323.237.221.160
          Aug 8, 2022 23:17:52.471314907 CEST6434823192.168.2.23110.151.22.164
          Aug 8, 2022 23:17:52.471321106 CEST6434823192.168.2.23197.8.81.196
          Aug 8, 2022 23:17:52.471329927 CEST6434823192.168.2.23211.69.111.145
          Aug 8, 2022 23:17:52.471333027 CEST6434823192.168.2.23245.109.147.201
          Aug 8, 2022 23:17:52.471343040 CEST6434823192.168.2.23103.101.17.175
          Aug 8, 2022 23:17:52.471369982 CEST6434823192.168.2.23122.44.101.57
          Aug 8, 2022 23:17:52.471385002 CEST6434823192.168.2.23220.219.121.203
          Aug 8, 2022 23:17:52.474731922 CEST6434823192.168.2.2374.187.103.184
          Aug 8, 2022 23:17:52.474822044 CEST6434823192.168.2.2370.242.17.62
          Aug 8, 2022 23:17:52.474834919 CEST6434823192.168.2.23101.159.125.233
          Aug 8, 2022 23:17:52.474853039 CEST6434823192.168.2.23249.42.224.156
          Aug 8, 2022 23:17:52.474872112 CEST6434823192.168.2.23151.27.75.128
          Aug 8, 2022 23:17:52.474878073 CEST6434823192.168.2.23182.133.164.181
          Aug 8, 2022 23:17:52.474884987 CEST6434823192.168.2.23146.28.180.191
          Aug 8, 2022 23:17:52.474885941 CEST6434823192.168.2.2323.57.232.20
          Aug 8, 2022 23:17:52.474898100 CEST6434823192.168.2.2359.232.211.186
          Aug 8, 2022 23:17:52.474898100 CEST6434823192.168.2.23217.240.130.219
          Aug 8, 2022 23:17:52.474914074 CEST6434823192.168.2.23157.174.170.45
          Aug 8, 2022 23:17:52.474919081 CEST6434823192.168.2.23154.168.113.160
          Aug 8, 2022 23:17:52.474930048 CEST6434823192.168.2.23218.127.136.88
          Aug 8, 2022 23:17:52.474931002 CEST6434823192.168.2.23142.119.17.12
          Aug 8, 2022 23:17:52.474975109 CEST6434823192.168.2.23208.81.29.64
          Aug 8, 2022 23:17:52.474984884 CEST6434823192.168.2.2380.91.164.175
          Aug 8, 2022 23:17:52.475001097 CEST6434823192.168.2.23183.183.44.218
          Aug 8, 2022 23:17:52.475038052 CEST6434823192.168.2.23174.133.168.8
          Aug 8, 2022 23:17:52.475042105 CEST6434823192.168.2.23169.104.220.7
          Aug 8, 2022 23:17:52.475044966 CEST6434823192.168.2.23133.232.90.8
          Aug 8, 2022 23:17:52.475044966 CEST6434823192.168.2.23213.177.164.23
          Aug 8, 2022 23:17:52.475053072 CEST6434823192.168.2.2327.147.145.104
          Aug 8, 2022 23:17:52.475059032 CEST6434823192.168.2.2340.29.27.109
          Aug 8, 2022 23:17:52.475060940 CEST6434823192.168.2.23199.22.55.80
          Aug 8, 2022 23:17:52.475081921 CEST6434823192.168.2.23216.16.210.129
          Aug 8, 2022 23:17:52.475104094 CEST6434823192.168.2.23213.159.99.237
          Aug 8, 2022 23:17:52.475112915 CEST6434823192.168.2.23249.203.177.119
          Aug 8, 2022 23:17:52.475115061 CEST6434823192.168.2.23181.87.43.3
          Aug 8, 2022 23:17:52.475117922 CEST6434823192.168.2.23128.8.55.179
          Aug 8, 2022 23:17:52.475120068 CEST6434823192.168.2.23186.74.145.0
          Aug 8, 2022 23:17:52.475128889 CEST6434823192.168.2.23156.181.88.171
          Aug 8, 2022 23:17:52.475131989 CEST6434823192.168.2.23171.200.254.245
          Aug 8, 2022 23:17:52.475132942 CEST6434823192.168.2.23206.90.146.181
          Aug 8, 2022 23:17:52.475158930 CEST6434823192.168.2.23128.29.125.42
          Aug 8, 2022 23:17:52.475188971 CEST6434823192.168.2.23164.29.164.14
          Aug 8, 2022 23:17:52.475227118 CEST6434823192.168.2.2354.25.38.106
          Aug 8, 2022 23:17:52.475230932 CEST6434823192.168.2.23205.135.44.159

          System Behavior

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:/tmp/6e180puJTD
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:21:01
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:21:01
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          General

          Start time:23:17:51
          Start date:08/08/2022
          Path:/tmp/6e180puJTD
          Arguments:n/a
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9