Linux Analysis Report
dlr.mpsl.elf

Overview

General Information

Sample name: dlr.mpsl.elf
Analysis ID: 1546729
MD5: bc7c970f3f8e1211a12c141741274031
SHA1: 6f733a53c545badf3337422f95a974cfc56f5176
SHA256: d3f39b50f80370ecaa0355e2b6aa7f5bcc306a88180504f675fbd683e59864b8
Tags: elfuser-abuse_ch
Infos:

Detection

Okiru
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Okiru
Found strings indicative of a multi-platform dropper
HTTP GET or POST without a user agent
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: /tmp/byte Avira: detection malicious, Label: EXP/ELF.Mirai.Bootnet.o
Multi AV Scanner detection for submitted file
Source: dlr.mpsl.elf ReversingLabs: Detection: 39%
Found strings indicative of a multi-platform dropper
Source: byte.12.dr String: 'byte/proc/%d/net/tcp %*d: %*x:%x/proc//proc/%s/exe/proc/self/exe/proc/proc/%d/cmdlinenetstatwgettftpftpcurlbusybox/bin/busyboxvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/soraJoshohajime902i13BzSxLxBxeYHOHO-LUGO7HOHO-U79OLJuYfouyf87NiGGeR69xdSO190Ij1XLOLKIKEEEDDEekjheory98escansh4MDMAfdevalvexscanspcMELTEDNINJAREALZflexsonskidsscanx86MISAKI-U79OLfoAxi102kxeswodjwodjwojMmKiy7f87lfreecookiex86sysgpufrgegesysupdater0DnAzepdNiGGeRD0nks69frgreu0x766f6964NiGGeRd0nks1337gafturasgbsigboa120i3UI49OaF3geaevaiolmao123123aOfurain0n4H34DggTrexewwasads1293194hjXDOthLaLosnggtwget-log1337SoraLOADERSAIAKINAggtq1378bfp919GRB1Q2SAIAKUSOggtr14FaSEXSLAVE1337ggtt1902a3u912u3u4haetrghbr19ju3dSORAojkf120hehahejeje922U2JDJA901F91SlaVLav12helpmedaddthhhhh2wgg9qphbqSlav3Th3seD3viceshzSmYZjYMQ5GbfSoRAxD123LOLiaGv5aA3SoRAxD420LOLinsomni640277SoraBeReppin1337ipcamCache66tlGg9QjUYfouyf876ke3TOKYO3lyEeaXul2dULCVxh93OfjHZ2zTY2gD6MZvKc7KU6rmMkiy6f87lA023UU4U24UIUTheWeekndmioribitchesA5p9TheWeekndsmnblkjpoiAbAdTokyosnebAkiruU8inTznetstatsAlexW9RCAKM20TnewnetwordAyo215WordnloadsBAdAsVWordmanenotyakuzaaBelchWordnetsobpBigN0gg0r420X0102I34fofhasfhiafhoiX19I239124UIUoismXSHJEHHEIIHWOolsVNwo12DeportedDeportedXkTer0GbA1onry0v03FortniteDownLOLZY0urM0mGaypussyfartlmaojkGrAcEnIgGeRaNnYvdGkqndCOqGeoRBe6BEGuiltyCrownZEuS69s4beBsEQhdHOHO-KSNDOZEuz69sat1234aj93hJ23scanHAalie293z0k2LscanJoshoARMHellInSideayyyGangShitscanJoshoARM5HighFryb1glscanJoshoARM6IWhPyucDbJboatnetzscanJoshoARM7IuYgujeIqnbtbatrtahzexsexscanJoshoM68KJJDUHEWBBBIBscanJoshoMIPSJSDGIEVIVAVIGcKbVkzGOPascanJoshoMPSLccADscanJoshoPPCKAZEN-OIU97chickenxingsscanJoshoSH4yakuskzm8KAZEN-PO78HcleanerscanJoshoSPCKAZEN-U79OLdbeefscanJoshoX86yakuz4c24KETASHI32ddrwelperscanarm5zPnr6HpQj2Kaishi-Iz90Ydeexecscanarm6zdrtfxcgyKatrina32doCP3fVjscanarm7zxcfhuioKsif91je39scanm68kKuasadvrhelperl33t_feetl33tl33tfeetscanmipsKuasaBinsMateeQnOhRk85rscanmpslLOLHHHOHOHBUIeXK20CL12ZnyamezyQBotBladeSPOOKYhikariwasherep4029x91xx32uhj4gbejhwizardzhra.outboatnetdbgcondiheroshimaskid.dbglzrdPownedSecurity69.aresfxlyazsxhyUNSTABLEunstable_is_the_story_of_the_universemoobotjnsd9sdoilayourmomgaeissdfjiougsiojOasisSEGRJIJHFVNHSNHEIHFOSapep999KOWAI-BAdAsVKOWAI-SADjHKipU7Ylairdropmalwareyour_verry_fucking_gayBig-Bro-Brightsefaexecshirololieagle.For-Gai-Mezy0x6axNLcloqkisvspookymythSwergjmioGKILLEJW(IU(JIWERGFJGJWJRGHetrhwewrtheIuFdKssCxzjSDFJIjioOnrYoXd666ewrtkjokethajbdf89wu823AAaasrdgsWsGA4@F6FGhostWuzHere666BOGOMIPSbeastmodedvrHelperbestmodesfc6aJfIuYDemon.xeno-is-godICY-P-0ODIJgSHUIHIfhwrgLhu87VhvQPzlunadakuexecbinTacoBellGodYololigangExecutionorbitclientAmnes
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bins/byte.mpsl HTTP/1.0Data Raw: 00 00 Data Ascii:
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.16.39
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: global traffic HTTP traffic detected: GET /bins/byte.mpsl HTTP/1.0Data Raw: 00 00 Data Ascii:
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal64.troj.linELF@0/1@0/0
Writes ELF files to disk
Source: /tmp/dlr.mpsl.elf (PID: 6239) File written: /tmp/byte Jump to dropped file
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/dlr.mpsl.elf (PID: 6239) Queries kernel information via 'uname': Jump to behavior
Source: dlr.mpsl.elf, 6239.1.00007ffde5d18000.00007ffde5d39000.rw-.sdmp Binary or memory string: 0x86_64/usr/bin/qemu-mipsel/tmp/dlr.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dlr.mpsl.elf
Source: dlr.mpsl.elf, 6239.1.000056138c44f000.000056138c4d6000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: dlr.mpsl.elf, 6239.1.000056138c44f000.000056138c4d6000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: dlr.mpsl.elf, 6239.1.00007ffde5d18000.00007ffde5d39000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information
barindex
Yara detected Okiru
Source: Yara match File source: /tmp/byte, type: DROPPED

Remote Access Functionality
barindex
Yara detected Okiru
Source: Yara match File source: /tmp/byte, type: DROPPED

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
154.216.16.39
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false