Source: H6xHFhrbOF.elf |
ReversingLabs: Detection: 69% |
Source: H6xHFhrbOF.elf |
Virustotal: Detection: 42% |
Perma Link |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:40692 -> 89.208.103.112:1312 |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
Socket: 0.0.0.0::0 |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
Socket: 0.0.0.0::23 |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
Socket: 0.0.0.0::53413 |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
Socket: 0.0.0.0::80 |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
Socket: 0.0.0.0::52869 |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
Socket: 0.0.0.0::37215 |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
Socket: 0.0.0.0::0 |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.208.103.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.208.103.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.208.103.112 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.109.225.237 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.171.18.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 19.188.85.237 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 61.178.128.117 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 63.164.33.235 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 112.51.247.181 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 247.59.59.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 247.82.128.84 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.139.14.166 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 98.160.37.213 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 208.48.59.223 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 44.135.122.142 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 198.17.120.80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 207.204.244.10 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 169.173.106.92 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 66.228.198.1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 31.66.104.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.34.123.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 150.69.134.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 4.97.127.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.67.228.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.247.237.205 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 16.104.67.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 203.25.187.255 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 65.121.221.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 73.116.140.49 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 241.153.29.90 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 84.119.197.45 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 88.17.13.21 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 138.239.82.39 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 122.126.24.248 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 241.4.223.159 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 60.66.136.135 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.64.133.210 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 116.38.147.187 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.160.169.76 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 153.90.89.253 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.71.178.99 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 123.251.135.70 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 135.160.178.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 27.203.46.16 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 24.229.8.136 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 124.187.43.231 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.141.160.87 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.50.252.178 |
Source: H6xHFhrbOF.elf |
String found in binary or memory: http://upx.sf.net |
Source: LOAD without section mappings |
Program segment: 0x100000 |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
SIGKILL sent: pid: 936, result: successful |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
SIGKILL sent: pid: 936, result: successful |
Jump to behavior |
Source: classification engine |
Classification label: mal60.troj.evad.linELF@0/0@0/0 |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample |
String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $ |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/491/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/793/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/772/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/796/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/774/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/797/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/777/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/799/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/658/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/912/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/759/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/936/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/918/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/1/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/761/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/785/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/884/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/720/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/721/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/788/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/789/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/800/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/801/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/847/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6221) |
File opened: /proc/904/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/491/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/793/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/772/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/796/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/774/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/797/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/777/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/799/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/658/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/912/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/759/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/936/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/918/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/1/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/761/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/785/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/884/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/720/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/721/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/788/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/789/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/800/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/801/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/847/fd |
Jump to behavior |
Source: /tmp/H6xHFhrbOF.elf (PID: 6215) |
File opened: /proc/904/fd |
Jump to behavior |
Source: H6xHFhrbOF.elf |
Submission file: segment LOAD with 7.875 entropy (max. 8.0) |
Source: /tmp/H6xHFhrbOF.elf (PID: 6213) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: H6xHFhrbOF.elf, 6213.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6215.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6316.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6333.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6324.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6216.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6315.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6222.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp |
Binary or memory string: V!/etc/qemu-binfmt/mips |
Source: H6xHFhrbOF.elf, 6213.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6215.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6316.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6333.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6324.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6216.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6315.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6222.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/H6xHFhrbOF.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/H6xHFhrbOF.elf |
Source: H6xHFhrbOF.elf, 6213.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6215.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6316.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6333.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6324.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6216.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6315.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp, H6xHFhrbOF.elf, 6222.1.0000560d64e50000.0000560d64ed7000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mips |
Source: H6xHFhrbOF.elf, 6213.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6215.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6316.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6333.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6324.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6216.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6315.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp, H6xHFhrbOF.elf, 6222.1.00007ffe861f0000.00007ffe86211000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mips |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: dump.pcap, type: PCAP |