Linux Analysis Report
Mozi.m.elf

Overview

General Information

Sample name: Mozi.m.elf
Analysis ID: 1560601
MD5: 6ff4148d7e8b20a23936bf668c52d111
SHA1: 2c3842efd8f52f941d214fb82de5c083be8ad8e1
SHA256: 42af00743a29b4392cb3e3014618772c5520fe64608830671386336290d9235c
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Mozi.m.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: Mozi.m.elf ReversingLabs: Detection: 42%
Source: Mozi.m.elf Virustotal: Detection: 28% Perma Link
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Mozi.m.elf, type: SAMPLE Matched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: 6252.1.00007f8980400000.00007f8980422000.r-x.sdmp, type: MEMORY Matched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Yara signature match
Source: Mozi.m.elf, type: SAMPLE Matched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: 6252.1.00007f8980400000.00007f8980422000.r-x.sdmp, type: MEMORY Matched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: classification engine Classification label: mal64.linELF@0/0@0/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6225) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.g2tmwYyzI1 /tmp/tmp.WIHK5A4Zbs /tmp/tmp.g81a0kguxI Jump to behavior
Source: /usr/bin/dash (PID: 6226) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.g2tmwYyzI1 /tmp/tmp.WIHK5A4Zbs /tmp/tmp.g81a0kguxI Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: Mozi.m.elf Submission file: segment LOAD with 7.7906 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Mozi.m.elf (PID: 6252) Queries kernel information via 'uname': Jump to behavior
Source: Mozi.m.elf, 6252.1.00005594b4df4000.00005594b4e7b000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: Mozi.m.elf, 6252.1.00005594b4df4000.00005594b4e7b000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: Mozi.m.elf, 6252.1.00007ffd4a568000.00007ffd4a589000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: Mozi.m.elf, 6252.1.00007ffd4a568000.00007ffd4a589000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/Mozi.m.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Mozi.m.elf
Source: Mozi.m.elf, 6252.1.00007ffd4a568000.00007ffd4a589000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false