Linux Analysis Report
http://31.214.243.29/Demon.mips

Overview

General Information

Sample URL:	http://31.214.243.29/Demon.mips
Analysis ID:	831144
Infos:

Detection

Gafgyt, Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Yara detected Gafgyt

Writes ELF files to disk

Yara signature match

Creates hidden files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Queries the installed Ubuntu/CentOS release

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://31.214.243.29/Demon.mips

Avira URL Cloud: detection malicious, Label: malware

Source: unknown

HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.23:57056 version: TLS 1.2

Source: unknown

DNS traffic detected: queries for: content-signature-2.cdn.mozilla.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38690
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39200
Source: unknown	Network traffic detected: HTTP traffic on port 39200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown	Network traffic detected: HTTP traffic on port 57862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38248
Source: unknown	Network traffic detected: HTTP traffic on port 43386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57862
Source: unknown	Network traffic detected: HTTP traffic on port 38690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39582 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29

Source: global traffic	HTTP traffic detected: GET /chains/remote-settings.content-signature.mozilla.org-2021-09-19-15-17-11.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Sat, 31 Jul 2021 15:17:12 GMTIf-None-Match: "8cfd2c8fe1fb0bc900759661d7a6ee89"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: /HsD9zTc2lDu1K9P7e79lw==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Tue, 01 Jun 2021 14:28:23 GMTIf-None-Match: "1622557703112"
Source: global traffic	HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /update/3/GMP/91.0.1/20210816143654/Linux_x86_64-gcc3/null/release-cck-ubuntu/Linux%205.4.0-72-generic%20(GTK%203.24.20%2Clibpulse%2013.99.0)/canonical/1.0/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: no-corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Fri, 25 Mar 2022 17:45:46 GMTIf-None-Match: "1648230346554"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: Pv/Zvfj6YW6T57Phu897Ug==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: U4qUgcEAUSmpmIII+0JwlQ==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: xcYDBoWaCBwQWORghw2Mew==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /Demon.mips HTTP/1.1Host: 31.214.243.29User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1

Source: 134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	String found in binary or memory: http://31.214.243.29/
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	String found in binary or memory: http://31.214.243.29/Demon.mips
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	String found in binary or memory: http://31.214.243.29/Demon.mipsstrongly-framed1request-methodGETresponse-headHTTP/1.1
Source: 134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	String found in binary or memory: http://31.214.243.29/predictor::seen1
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: khk19L2S.mips.part.42.dr	String found in binary or memory: http://fast.no/support/crawler.asp)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://feedback.redkolibri.com/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes
Source: asrouter.ftl.tmp.42.dr, DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.baidu.com/search/spider.htm)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.billybobbot.com/crawler/)
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://amazon.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://baidu.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=921157
Source: 5FFD69415953BE9CE9C07B2E9C26DA959ADEA6CB.42.dr	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: scriptCache-child-new.bin.42.dr	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://doh.xfinity.com/dns-query
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://duckduckgo.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://ebay.com
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/
Source: DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/4f1bcaa0-ddf9-
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://firefox.dns.next
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.dns.nextdns.io/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: 254256B27E0C48CF9B80B695F0B3B8CA84610495.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://github.com/Kinto/kinto-attachment/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://google.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: 68B780A709FB903C666EF08F51EF5985A89FE446.42.dr	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/deletion-request/1/7c4c3d68-b8c8-44e6-
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: https://pki.goog/repository/0
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://private.canadianshield.cira.ca/dns-query
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://profiler.firefox.com
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://remote-settings.readthedocs.io
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://settings.stage.mozaws.net/v1/buckets/main-preview/collections/search-config/records
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://settings.stage.mozaws.net/v1/buckets/main/collections/search-config/records
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/flash-protected-mode-autodisabled
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://trr.dns.nextdns.io/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://twitter.com
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.google.com/policies/privacy/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.openh264.org/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.widevine.com/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://yandex.com

Source: unknown

HTTP traffic detected: POST /submit/firefox-desktop/deletion-request/1/7c4c3d68-b8c8-44e6-a714-345a0583faf2 HTTP/1.1Host: incoming.telemetry.mozilla.orgUser-Agent: Glean/39.0.0 (Rust on Linux)Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brx-client-type: Gleanx-client-version: 39.0.0content-type: application/json; charset=utf-8date: Tue, 21 Mar 2023 06:17:35 GMTcontent-encoding: gzipcontent-length: 284Connection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: no-corsSec-Fetch-Site: nonePragma: no-cacheCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.23:57056 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.troj.lin@0/45@31/0

Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/string/mips/memcpy.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/string/mips/memset.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crt1.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crti.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crtn.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/string/mips/memcpy.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/string/mips/memset.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crt1.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crti.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crtn.S

Writes ELF files to disk

Source: /usr/lib/firefox/firefox (PID: 6247)	File written: /tmp/khk19L2S.mips.part			Jump to dropped file
Source: /usr/lib/firefox/firefox (PID: 6247)	File written: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1			Jump to dropped file

Creates hidden files and/or directories

Source: /usr/bin/exo-open (PID: 6242)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.local	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.config	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6247)	Directory: /home/saturnino/.cache	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /usr/bin/exo-open (PID: 6242)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6247)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6252)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6295)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6340)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6383)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6434)	Queries kernel information via 'uname':	Jump to behavior

Queries the installed Ubuntu/CentOS release

Source: /usr/lib/firefox/firefox (PID: 6270)

Arguments: /usr/bin/lsb_release -> /usr/bin/lsb_release -idrc

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Yara detected Gafgyt

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Yara detected Gafgyt

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
44.231.103.117	unknown	United States	16509	AMAZON-02US	false
52.25.208.227	unknown	United States	16509	AMAZON-02US	false
31.214.243.29	unknown	Germany	197071	ACTIVE-SERVERSactive-serverscomDE	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
34.120.208.123	prod.ingestion-edge.prod.dataops.mozgcp.net	United States	15169	GOOGLEUS	false
34.111.73.144	fennec-catalog-cdn.prod.mozaws.net	United States	15169	GOOGLEUS	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
35.241.9.150	firefox.settings.services.mozilla.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
star-mini.c10r.facebook.com	157.240.20.35	true
fennec-catalog-cdn.prod.mozaws.net	34.111.73.144	true
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true
twitter.com	104.244.42.129	true
youtube-ui.l.google.com	142.250.185.142	true
autopush.prod.mozaws.net	52.10.254.200	true
reddit.map.fastly.net	151.101.65.140	true
firefox.settings.services.mozilla.com	35.241.9.150	true
prod.ingestion-edge.prod.dataops.mozgcp.net	34.120.208.123	true
dyna.wikimedia.org	91.198.174.192	true
www.example.com	93.184.216.34	true
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true
www.facebook.com	unknown	unknown
www.reddit.com	unknown	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown
push.services.mozilla.com	unknown	unknown
www.youtube.com	unknown	unknown
www.wikipedia.org	unknown	unknown
firefox-settings-attachments.cdn.mozilla.net	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://firefox.settings.services.mozilla.com/v1/	false	high
http://31.214.243.29/Demon.mips	true	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl	false	high
https://push.services.mozilla.com/	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US	false	high
https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2021-09-19-15-17-11.chain	false	high

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.cache/dconf/user	very short file (no magic)	93B885ADFE0DA089CDF634904FD59F71	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/134714F2DF01B21FA934AB16898B0583114E19B0	data	A59361068F4770E9E7B5D8223DCA0468	9EF16ED85BEE0294B2D7276CD3D1C3C4BFD5FE74	151C2FD771646D28B9466A4CE7C4033E714F168A67062C5363F0ED9B2F8FCE1F
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/254256B27E0C48CF9B80B695F0B3B8CA84610495	JSON data	CAB1654790CBEE68C2E6CC75F78DD5CA	C8E7369C6CE62A8047944CA827C0104161E085BA	57B4245FD3C96925CB53590AEADF8F7FD28B942AC1C5A88CD6CC859B3A54FFC3
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/5FFD69415953BE9CE9C07B2E9C26DA959ADEA6CB	data	3884F9454A8EC208584C74D7FDEC1EBD	979CF16596DE5B923428F3D120D682C7BAC4FA30	59890682DC2F14D0A9546CBAFACA5756AAE90573F000CB0F83EEC34052AC5BF1
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/68B780A709FB903C666EF08F51EF5985A89FE446	data	90BF69B3115D2008171C1E4659F305E0	C725AA2CC3D8BB0C470914DE09FC363ED6370605	0E257BBE22CA1E987072E15286FD03E0C8008DE722698F23C62DE64942A79634
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped	64D9FADD5391F35D70890A44DD894D2A	A0F8F04013C394734C333B47A2E32554CCF88076	4F93F2A9207AB395F985917ED21A16414E01EA301AC566DC2483A8D20788CC0F
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3	data	C62F072D083283EDE9BF610BA279F5EB	C1D56663ED550384EC0205F83CBF4B73250B9C65	197A95F2B3C069E79576CEE941758B287526564DC520FED36BE3D04428913038
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/F8CBD54DDA10F4286A41EC6A537240712D6C2308	JSON data	B4DE831269D262E38A8AD7E559C87F66	8D499CB9D9A6AB695B9A8CAA6A1C15ED6765D2BB	A14FAFB4BC96AF986C4DEFB4518DF07CCBB67D4A02126BDE60D2E379FD79C551
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/settings/main/ms-language-packs/asrouter.ftl.tmp	Unicode text, UTF-8 text	C460716B62456449360B23CF5663F275	06573A83D88286153066BAE7062CC9300E567D92	0EC0F16F92D876A9C1140D4C11E2B346A9292984D9A854360E54E99FDCD99CC0
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/startupCache/scriptCache-child-new.bin	data	55630106B5662A447042CF0D00F121BA	474647BD351C4EBB5436319565FB88D85BC78976	80886F16AC3A2CC5E5D5E1CFDDA49247CE76BCDDD5E173BE73F48AABFF3BAF51
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/startupCache/scriptCache-new.bin	data	00CC034B00F8B54901A3D72BD7FF8C3E	11103380E799ED834C6F87C106F13B69AA88707C	AFBBB2F9CA5F8FF91ACB96FB21863F7827A4BCC277D3A832EE851B178693B1A5
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/startupCache/urlCache-new.bin	data	BBAFA4904B8EC4404105FD232E2D6BF3	764DC7BFD554F82C05EF43E9A8765B9CC2764A34	08A0ADC928EB4C2B45C17203EA50A866128E2ACF4060A84CD6E7D301B3BBFFBD
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/addonStartup.json.lz4.tmp	Mozilla lz4 compressed data, originally 17200 bytes	A1D3DFDE4342A057ABB725F7326C08E9	A0AC57260753854C4F43CFF75497507B9570BEC7	90B7DE98A0E12A8736D2D2B6A26516420A532165DE18349F16267BEBD2700AE9
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/broadcast-listeners.json.tmp	JSON data	3F4783C4A6E2C30C125D1A3E464B8381	E0341861A8E1E7A780AD941DBF2887C5C1DF734A	DE1D02EC9612920EF8E6FC72D437259756D96CFB2FC6973EF69B29E3EA04C769
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/cert9.db	SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 9, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 9	07809AC372EE02563E7F464075040D1C	1CEECCDE5C06073648353A03650353E79D56B3B1	106F71FF709CE3998606E60FDBDBCCE6FD3F2DBC010B70B6EFCC84D650BD2E44
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/cert9.db-journal	data	9CAE07D08A4B1180D6CA2579B505BD56	B841414F36CB2882E5C578ECEF4C6C48D7D64061	7A9F83DF4D1AD2D1F23619A3210F509D43C61716781DF69FA261953D51B4D9A6
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/crashes/store.json.mozlz4.tmp	Mozilla lz4 compressed data, originally 56 bytes	A6338865EB252D0EF8FCF11FA9AF3F0D	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/aborted-session-ping.tmp	JSON data	7BB3B120C1DA9908EC2338520CF6C64B	A48F26904C4569C5572D3B43AD1715C5AE4F6C14	686D6D51DEFFF62073AB28173189AF7354129974158CECC7907B437925D950DA
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/glean/db/data.safe.bin	data	23781F0E2B8785F1763060FE26F0F14E	899058D67D3AF17905C8CD6EA377AFF1624DEF49	69518F55151C3443B58464F489B3F4433230B37F51176BB89F1742B96DC3CB95
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/glean/tmp/7c4c3d68-b8c8-44e6-a714-345a0583faf2	ASCII text, with very long lines (447)	6B15C070788478408BA28503257BF81D	9F3C66994CA467BF84BEA582A07FB412E4EE04B9	A8831DB7095681CBC38C205E7F3A908DF453FD76DD9AB5E6DA8806837CA53664
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/session-state.json.tmp	JSON data	81939E2A566C5C05E3490296D175FE9C	BBB479F94B31BBBFE0F499AE172D27BB28486E55	C4EB5F5B88C77C2C00F1606FB61D01DDF3AFA9242EC8BAAC31844EDC78EE88AE
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/state.json.tmp	JSON data	3E32E2CC1ED028DD8FF9B06F50A4707B	B3910351BD8E13AD1479DB699CF6FAC6544A5BEF	4A3A666D98E61B5FE06FECAC56807137A0FFFB4BB71D4C3B16BAA8702DDE738C
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/extensions.json.tmp	JSON data	CAAE9DFD85622A51E40BC81E527E6A7D	8E1559A6C7E831446C791D827E4788EEF3FCFD59	836339FA04A74196FAB90D3128B1C4AFEB52876322A0DB38001BD87AAD660488
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/key4.db	SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3	B17E199AC22C99688CEACAE342FDE8D7	41F41E23CFD8F6110C7924BF6FB974D7A12328C9	34C8F483575FD7AF331FBC6933F41D13A43A5FD1E556920C6E0EC71AE1C8F1DD
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/key4.db-journal	data	315E7B41F813586544D78840CB9559FB	D7E88B0FC5419B6857272480E4F46B0C60F49400	DBAC272DC8669B1DBDF28833DAE4CD406F02B23118A7DC1783EACCB5FA6FAA07
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/prefs-1.js	ASCII text, with very long lines (1127)	EA2B51E5F426E440E694DAC7D6C8FF7F	794AF31E121E7EE3E379D08FBD97194B102DB81F	B7C63D896F321B442597FD2606D753A020703738A337C0590441B2D7D8D715CC
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/search.json.mozlz4	Mozilla lz4 compressed data, originally 467 bytes	DE18406D63DF1F173806E777DABDADFB	076F314F75C8555C0220BB0EF7129750D9B1B9C8	89F9037A361F2A097E61121697426233D8D8AF5B6E18E92D6612E8D65D0A562C
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/sessionCheckpoints.json.tmp	JSON data	C0E4C22C50DD21142F57714EF49B8713	06B77307DCA5C889EA279243E74730CBC10801BE	6FE46B65B76B3DF32D8392853740B35ED75B6E23F4FBD6F45F3EFA1D496E6717
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/sessionstore-backups/recovery.jsonlz4.tmp	Mozilla lz4 compressed data, originally 3230 bytes	77B2E7BF4A6A503593121ABB422846B1	6DA47537BD4A3B288894278AC7EE9FD5C64EF0BA	6B763F8AAC1487333EDC6786B141753F6EFF7EAC3AAA6E1BDD34F2B242751778
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite	data	2672D6B57621B74D060C6FC399DFCADD	7500A1E08D82966806E231D3DA34B211151B5457	DA329DDB72B5E05874BA4E78B0D524F19BC200A0A539F6CDB273BDFAD304A65D
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite-wal	SQLite Write-Ahead Log, version 3007000	60EEB4D39634658C8016958069B8B39D	BE999F581849E9104EEC686D56E3C2A0772E3F03	4BE536DE599525F53D315B4247A70B84F813D12D742B6F1B909607A3FD6A0A83
/home/saturnino/.mozilla/firefox/a3xevaya.default-release/xulstore.json.tmp	JSON data	4F2F57A0FACAF113FDEC5456EDF974C5	51BB98FBB11D07BD0343137B144B0A32DC1952D6	F57089C81D75E95583D17E67496FB02DEE203DEBA36DD176BE35F0841654E9EA
/proc/6304/gid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6304/setgroups	ASCII text, with no line terminators	05AFB6CE69B9CEF1BD6ECE7E4745F96C	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
/proc/6304/uid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6340/gid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6340/setgroups	ASCII text, with no line terminators	05AFB6CE69B9CEF1BD6ECE7E4745F96C	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
/proc/6340/uid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6383/gid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6383/setgroups	ASCII text, with no line terminators	05AFB6CE69B9CEF1BD6ECE7E4745F96C	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
/proc/6383/uid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6434/gid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/proc/6434/setgroups	ASCII text, with no line terminators	05AFB6CE69B9CEF1BD6ECE7E4745F96C	1D16DC2DCC6851208C1B981E2EC377250A4A0CC5	3026A0CA485E5831657BA0120FA8DD66B3425427BFB0A2BE0DB743E2305CC7C5
/proc/6434/uid_map	ASCII text, with no line terminators	54258652109C33FE06188083A3EC23F4	013EC30A95D66C56642C193613A829B746982601	C459EBB6CF3917EFB05A2E72EF25E223BE9B78780B1CE0CAACCE49C773DF199E
/tmp/khk19L2S.mips.part	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped	FB339CF69C95DC0CFC2E39212B653781	C3DFC45C904BF581CDC2CD4BB4AE3CD04AE5072C	F01DD98CB5003B692B097C3E9E2493DDD041511D4E1B2874D85FB6E1BBFD3A9B

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://31.214.243.29/Demon.mips

Avira URL Cloud: detection malicious, Label: malware

Source: unknown

HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.23:57056 version: TLS 1.2

Source: unknown

DNS traffic detected: queries for: content-signature-2.cdn.mozilla.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38690
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39200
Source: unknown	Network traffic detected: HTTP traffic on port 39200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown	Network traffic detected: HTTP traffic on port 57862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38248
Source: unknown	Network traffic detected: HTTP traffic on port 43386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57862
Source: unknown	Network traffic detected: HTTP traffic on port 38690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39582 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29

Source: global traffic	HTTP traffic detected: GET /chains/remote-settings.content-signature.mozilla.org-2021-09-19-15-17-11.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Sat, 31 Jul 2021 15:17:12 GMTIf-None-Match: "8cfd2c8fe1fb0bc900759661d7a6ee89"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: /HsD9zTc2lDu1K9P7e79lw==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Tue, 01 Jun 2021 14:28:23 GMTIf-None-Match: "1622557703112"
Source: global traffic	HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /update/3/GMP/91.0.1/20210816143654/Linux_x86_64-gcc3/null/release-cck-ubuntu/Linux%205.4.0-72-generic%20(GTK%203.24.20%2Clibpulse%2013.99.0)/canonical/1.0/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: no-corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Fri, 25 Mar 2022 17:45:46 GMTIf-None-Match: "1648230346554"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: Pv/Zvfj6YW6T57Phu897Ug==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: U4qUgcEAUSmpmIII+0JwlQ==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: xcYDBoWaCBwQWORghw2Mew==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /Demon.mips HTTP/1.1Host: 31.214.243.29User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1

Source: 134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	String found in binary or memory: http://31.214.243.29/
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	String found in binary or memory: http://31.214.243.29/Demon.mips
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	String found in binary or memory: http://31.214.243.29/Demon.mipsstrongly-framed1request-methodGETresponse-headHTTP/1.1
Source: 134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	String found in binary or memory: http://31.214.243.29/predictor::seen1
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: khk19L2S.mips.part.42.dr	String found in binary or memory: http://fast.no/support/crawler.asp)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://feedback.redkolibri.com/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes
Source: asrouter.ftl.tmp.42.dr, DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.baidu.com/search/spider.htm)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.billybobbot.com/crawler/)
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://amazon.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://baidu.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=921157
Source: 5FFD69415953BE9CE9C07B2E9C26DA959ADEA6CB.42.dr	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: scriptCache-child-new.bin.42.dr	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://doh.xfinity.com/dns-query
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://duckduckgo.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://ebay.com
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/
Source: DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/4f1bcaa0-ddf9-
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://firefox.dns.next
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.dns.nextdns.io/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: 254256B27E0C48CF9B80B695F0B3B8CA84610495.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://github.com/Kinto/kinto-attachment/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://google.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: 68B780A709FB903C666EF08F51EF5985A89FE446.42.dr	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/deletion-request/1/7c4c3d68-b8c8-44e6-
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: https://pki.goog/repository/0
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://private.canadianshield.cira.ca/dns-query
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://profiler.firefox.com
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://remote-settings.readthedocs.io
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://settings.stage.mozaws.net/v1/buckets/main-preview/collections/search-config/records
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://settings.stage.mozaws.net/v1/buckets/main/collections/search-config/records
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/flash-protected-mode-autodisabled
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://trr.dns.nextdns.io/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://twitter.com
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.google.com/policies/privacy/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.openh264.org/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.widevine.com/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://yandex.com

Source: unknown

HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.23:57056 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.troj.lin@0/45@31/0

Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/string/mips/memcpy.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/string/mips/memset.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crt1.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crti.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crtn.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/string/mips/memcpy.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/string/mips/memset.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crt1.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crti.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crtn.S

Writes ELF files to disk

Source: /usr/lib/firefox/firefox (PID: 6247)	File written: /tmp/khk19L2S.mips.part			Jump to dropped file
Source: /usr/lib/firefox/firefox (PID: 6247)	File written: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1			Jump to dropped file

Creates hidden files and/or directories

Source: /usr/bin/exo-open (PID: 6242)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.local	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.config	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6247)	Directory: /home/saturnino/.cache	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /usr/bin/exo-open (PID: 6242)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6247)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6252)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6295)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6340)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6383)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6434)	Queries kernel information via 'uname':	Jump to behavior

Queries the installed Ubuntu/CentOS release

Source: /usr/lib/firefox/firefox (PID: 6270)

Arguments: /usr/bin/lsb_release -> /usr/bin/lsb_release -idrc

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Yara detected Gafgyt

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Yara detected Gafgyt

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

ID:	831144
Product:	CloudBasic
Start time:	06:16:03
Start date:	21.03.2023
Cookbook:	browseurl.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX

Linux Analysis Report
http://31.214.243.29/Demon.mips

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report http://31.214.243.29/Demon.mips

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report
http://31.214.243.29/Demon.mips