Linux Analysis Report
35JTigDQD0.elf

Overview

General Information

Sample Name: 35JTigDQD0.elf
Analysis ID: 755694
MD5: 0fbe8cba363d1ca3de62343266244286
SHA1: d2ce4c0b48b3075ad04370b9639a6f6ce2a1d20c
SHA256: 95374214630d9aa7c9d8dccb051df549cc1c7dbc21dda9285857344064012e4e
Tags: 32elfmipsmirai
Infos:

Detection

Mirai
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content

Classification

AV Detection

barindex
Source: 35JTigDQD0.elf ReversingLabs: Detection: 56%
Source: 35JTigDQD0.elf Virustotal: Detection: 39% Perma Link

Networking

barindex
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57126
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57166
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57176
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57178
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57180
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57182
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57184
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57186
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57210
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51494
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51498
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51500
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51504
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51506
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51508
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51520
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51522
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51526
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:51412 -> 84.21.172.198:1312
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 84.21.172.198
Source: unknown TCP traffic detected without corresponding DNS query: 34.176.109.115
Source: unknown TCP traffic detected without corresponding DNS query: 47.95.37.115
Source: unknown TCP traffic detected without corresponding DNS query: 106.28.157.36
Source: unknown TCP traffic detected without corresponding DNS query: 193.128.69.135
Source: unknown TCP traffic detected without corresponding DNS query: 188.171.121.112
Source: unknown TCP traffic detected without corresponding DNS query: 47.197.229.93
Source: unknown TCP traffic detected without corresponding DNS query: 68.154.51.71
Source: unknown TCP traffic detected without corresponding DNS query: 139.27.37.191
Source: unknown TCP traffic detected without corresponding DNS query: 141.28.148.86
Source: unknown TCP traffic detected without corresponding DNS query: 70.117.179.100
Source: unknown TCP traffic detected without corresponding DNS query: 174.183.250.153
Source: unknown TCP traffic detected without corresponding DNS query: 67.126.232.20
Source: unknown TCP traffic detected without corresponding DNS query: 254.93.135.244
Source: unknown TCP traffic detected without corresponding DNS query: 5.46.95.207
Source: unknown TCP traffic detected without corresponding DNS query: 35.195.47.216
Source: unknown TCP traffic detected without corresponding DNS query: 125.116.83.39
Source: unknown TCP traffic detected without corresponding DNS query: 246.50.49.223
Source: unknown TCP traffic detected without corresponding DNS query: 109.133.122.164
Source: unknown TCP traffic detected without corresponding DNS query: 201.143.221.133
Source: unknown TCP traffic detected without corresponding DNS query: 165.90.28.228
Source: unknown TCP traffic detected without corresponding DNS query: 128.254.49.90
Source: unknown TCP traffic detected without corresponding DNS query: 159.12.116.240
Source: unknown TCP traffic detected without corresponding DNS query: 216.142.186.206
Source: unknown TCP traffic detected without corresponding DNS query: 72.1.142.217
Source: unknown TCP traffic detected without corresponding DNS query: 57.76.71.8
Source: unknown TCP traffic detected without corresponding DNS query: 162.178.70.236
Source: unknown TCP traffic detected without corresponding DNS query: 75.209.56.66
Source: unknown TCP traffic detected without corresponding DNS query: 125.96.89.18
Source: unknown TCP traffic detected without corresponding DNS query: 211.127.191.133
Source: unknown TCP traffic detected without corresponding DNS query: 172.106.13.152
Source: unknown TCP traffic detected without corresponding DNS query: 107.88.70.173
Source: unknown TCP traffic detected without corresponding DNS query: 101.75.138.233
Source: unknown TCP traffic detected without corresponding DNS query: 171.148.45.46
Source: unknown TCP traffic detected without corresponding DNS query: 250.76.192.64
Source: unknown TCP traffic detected without corresponding DNS query: 12.86.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 103.244.134.156
Source: unknown TCP traffic detected without corresponding DNS query: 197.0.21.59
Source: unknown TCP traffic detected without corresponding DNS query: 125.72.101.39
Source: unknown TCP traffic detected without corresponding DNS query: 196.230.225.168
Source: unknown TCP traffic detected without corresponding DNS query: 76.255.64.105
Source: unknown TCP traffic detected without corresponding DNS query: 121.151.238.119
Source: unknown TCP traffic detected without corresponding DNS query: 116.142.203.156
Source: unknown TCP traffic detected without corresponding DNS query: 198.138.187.17
Source: unknown TCP traffic detected without corresponding DNS query: 5.1.132.176
Source: unknown TCP traffic detected without corresponding DNS query: 23.180.244.14
Source: unknown TCP traffic detected without corresponding DNS query: 166.199.132.180
Source: unknown TCP traffic detected without corresponding DNS query: 144.50.173.123
Source: unknown TCP traffic detected without corresponding DNS query: 19.130.192.90
Source: unknown TCP traffic detected without corresponding DNS query: 244.241.220.42
Source: 35JTigDQD0.elf String found in binary or memory: http://upx.sf.net

System Summary

barindex
Source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: LOAD without section mappings Program segment: 0x100000
Source: 6237.1.00007f994c455000.00007f994c457000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6243.1.00007f994c455000.00007f994c457000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6234.1.00007f994c455000.00007f994c457000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: classification engine Classification label: mal80.troj.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/6236/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/6191/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/6190/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/910/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/912/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/517/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/759/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/918/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4461/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/6246/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/761/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/884/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1860/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/800/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/801/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/491/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/772/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/774/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/654/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/896/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/655/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/656/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/777/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/657/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/658/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4469/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4502/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/419/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/936/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/420/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/785/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1642/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/788/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/667/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/789/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/1648/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4494/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/6157/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2078/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2077/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2074/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/2195/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/670/exe Jump to behavior
Source: /tmp/35JTigDQD0.elf (PID: 6242) File opened: /proc/4490/exe Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57126
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57166
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57176
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57178
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57180
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57182
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57184
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57186
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57188
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57210
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51494
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51498
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51500
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51504
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51506
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51508
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51520
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51522
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51526
Source: 35JTigDQD0.elf Submission file: segment LOAD with 7.9036 entropy (max. 8.0)
Source: /tmp/35JTigDQD0.elf (PID: 6234) Queries kernel information via 'uname': Jump to behavior
Source: 35JTigDQD0.elf, 6234.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/35JTigDQD0.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/35JTigDQD0.elf
Source: 35JTigDQD0.elf, 6234.1.0000558506145000.00005585061ec000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.0000558506145000.00005585061cc000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.0000558506145000.00005585061cc000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: 35JTigDQD0.elf, 6234.1.0000558506145000.00005585061ec000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.0000558506145000.00005585061cc000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.0000558506145000.00005585061cc000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: 35JTigDQD0.elf, 6234.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

barindex
Source: Yara match File source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality

barindex
Source: Yara match File source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs