Edit tour

Linux Analysis Report
mips.elf

Overview

General Information

Sample name:mips.elf
Analysis ID:1632601
MD5:233ad5c7c8dfe5ace02c9ed8ad97524f
SHA1:def3bd7bf4a3c5ab7f00439bdd2bd093f29dce1a
SHA256:84363b3026769b79173338acf7adfef407d7a14c7b4509fce2f6ca277006234d
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:64
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1632601
Start date and time:2025-03-08 12:15:44 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mips.elf
Detection:MAL
Classification:mal64.troj.linELF@0/0@0/0
Command:/tmp/mips.elf
PID:5432
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • mips.elf (PID: 5432, Parent: 5357, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.elf
    • mips.elf New Fork (PID: 5434, Parent: 5432)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
mips.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    5432.1.00007f78a8400000.00007f78a8411000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: mips.elfAvira: detected
      Source: mips.elfVirustotal: Detection: 62%Perma Link
      Source: mips.elfReversingLabs: Detection: 65%
      Source: global trafficTCP traffic: 192.168.2.13:46378 -> 5.252.177.18:5555
      Source: /tmp/mips.elf (PID: 5432)Socket: 127.0.0.1:20905Jump to behavior
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: unknownTCP traffic detected without corresponding DNS query: 5.252.177.18
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal64.troj.linELF@0/0@0/0
      Source: /tmp/mips.elf (PID: 5432)Queries kernel information via 'uname': Jump to behavior
      Source: mips.elf, 5432.1.00005596cfd11000.00005596cfd98000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
      Source: mips.elf, 5432.1.00005596cfd11000.00005596cfd98000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
      Source: mips.elf, 5432.1.00007ffe67f36000.00007ffe67f57000.rw-.sdmpBinary or memory string: hx86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
      Source: mips.elf, 5432.1.00007ffe67f36000.00007ffe67f57000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: mips.elf, type: SAMPLE
      Source: Yara matchFile source: 5432.1.00007f78a8400000.00007f78a8411000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: mips.elf, type: SAMPLE
      Source: Yara matchFile source: 5432.1.00007f78a8400000.00007f78a8411000.r-x.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
      Security Software Discovery
      Remote ServicesData from Local System1
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632601 Sample: mips.elf Startdate: 08/03/2025 Architecture: LINUX Score: 64 11 5.252.177.18, 46378, 46380, 46382 MIVOCLOUDMD Moldova Republic of 2->11 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected Mirai 2->17 7 mips.elf 2->7         started        signatures3 process4 process5 9 mips.elf 7->9         started       
      SourceDetectionScannerLabelLink
      mips.elf63%VirustotalBrowse
      mips.elf66%ReversingLabsLinux.Trojan.Mirai
      mips.elf100%AviraEXP/ELF.Mirai.H
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches

      Download Network PCAP: filteredfull

      No contacted domains info
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      5.252.177.18
      unknownMoldova Republic of
      39798MIVOCLOUDMDfalse
      No context
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      MIVOCLOUDMDU0443.pdf.jsGet hashmaliciousRMSRemoteAdminBrowse
      • 194.180.158.11
      43 15.pdf.jsGet hashmaliciousRMSRemoteAdminBrowse
      • 194.180.158.11
      https://040030025.blob.core.windows.net/factura/index.htmlGet hashmaliciousPhisherBrowse
      • 185.225.19.22
      scan_doc_000_132.jsGet hashmaliciousNetSupport RATBrowse
      • 5.181.159.212
      Update 5581.jsGet hashmaliciousNetSupport RATBrowse
      • 5.181.159.62
      Payment_358.jsGet hashmaliciousNetSupport RATBrowse
      • 5.181.158.24
      Payment_368.jsGet hashmaliciousNetSupport RATBrowse
      • 5.181.158.24
      x86.elfGet hashmaliciousUnknownBrowse
      • 94.158.245.27
      I586.elfGet hashmaliciousMiraiBrowse
      • 5.252.176.73
      SPARC.elfGet hashmaliciousMiraiBrowse
      • 5.252.176.73
      No context
      No context
      No created / dropped files found
      File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
      Entropy (8bit):5.4205803188513535
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:mips.elf
      File size:71'856 bytes
      MD5:233ad5c7c8dfe5ace02c9ed8ad97524f
      SHA1:def3bd7bf4a3c5ab7f00439bdd2bd093f29dce1a
      SHA256:84363b3026769b79173338acf7adfef407d7a14c7b4509fce2f6ca277006234d
      SHA512:bef16aa72d0d964afc1a5b8c8ce1895df886956fd7eda89c3743c5b4b0d43665cfb056ed291c73d191c7197a8fe1d5d49e674020a75f798b9fa99ad9068656b4
      SSDEEP:768:RzZWyvL5MsRXxPx2pqV2Ukz9HX8iJ3GecFgoSERFImpPxs6vvSp+ozXeyt42egHO:OKzPxkqV2UWGecFgoSWlHs6t0egwsnM
      TLSH:5163964D3E319FACFBA8463457F39E10A35823D526E1CA85E19CDA011F7034E645FBA9
      File Content Preview:.ELF.....................@.`...4.........4. ...(.............@...@...........................E...E.....P..*P........dt.Q............................<...'..\...!'.......................<...'..8...!... ....'9... ......................<...'......!........'9.

      ELF header

      Class:ELF32
      Data:2's complement, big endian
      Version:1 (current)
      Machine:MIPS R3000
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x400260
      Flags:0x1007
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:3
      Section Header Offset:71336
      Section Header Size:40
      Number of Section Headers:13
      Header String Table Index:12
      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
      NULL0x00x00x00x00x0000
      .initPROGBITS0x4000940x940x8c0x00x6AX004
      .textPROGBITS0x4001200x1200xee900x00x6AX0016
      .finiPROGBITS0x40efb00xefb00x5c0x00x6AX004
      .rodataPROGBITS0x40f0100xf0100x16700x00x2A0016
      .ctorsPROGBITS0x4510000x110000x80x00x3WA004
      .dtorsPROGBITS0x4510080x110080x80x00x3WA004
      .dataPROGBITS0x4510200x110200x2e00x00x3WA0016
      .gotPROGBITS0x4513000x113000x3500x40x10000003WAp0016
      .sbssNOBITS0x4516500x116500xc0x00x10000003WAp004
      .bssNOBITS0x4516600x116500x23f00x00x3WA0016
      .mdebug.abi32PROGBITS0x7bc0x116500x00x00x0001
      .shstrtabSTRTAB0x00x116500x570x00x0001
      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x4000000x4000000x106800x106805.58830x5R E0x10000.init .text .fini .rodata
      LOAD0x110000x4510000x4510000x6500x2a503.22970x6RW 0x10000.ctors .dtors .data .got .sbss .bss
      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

      Download Network PCAP: filteredfull

      TimestampSource PortDest PortSource IPDest IP
      Mar 8, 2025 12:16:35.415505886 CET463785555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:35.420802116 CET5555463785.252.177.18192.168.2.13
      Mar 8, 2025 12:16:35.420864105 CET463785555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:35.439830065 CET463785555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:35.444961071 CET5555463785.252.177.18192.168.2.13
      Mar 8, 2025 12:16:35.445015907 CET463785555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:35.450171947 CET5555463785.252.177.18192.168.2.13
      Mar 8, 2025 12:16:45.448898077 CET463785555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:45.454139948 CET5555463785.252.177.18192.168.2.13
      Mar 8, 2025 12:16:56.989535093 CET5555463785.252.177.18192.168.2.13
      Mar 8, 2025 12:16:56.990288973 CET463785555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:56.995341063 CET5555463785.252.177.18192.168.2.13
      Mar 8, 2025 12:16:57.995686054 CET463805555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:58.001091003 CET5555463805.252.177.18192.168.2.13
      Mar 8, 2025 12:16:58.001283884 CET463805555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:58.003196955 CET463805555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:58.012933969 CET5555463805.252.177.18192.168.2.13
      Mar 8, 2025 12:16:58.013045073 CET463805555192.168.2.135.252.177.18
      Mar 8, 2025 12:16:58.019757986 CET5555463805.252.177.18192.168.2.13
      Mar 8, 2025 12:17:19.397546053 CET5555463805.252.177.18192.168.2.13
      Mar 8, 2025 12:17:19.398153067 CET463805555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:19.403271914 CET5555463805.252.177.18192.168.2.13
      Mar 8, 2025 12:17:20.403184891 CET463825555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:20.408521891 CET5555463825.252.177.18192.168.2.13
      Mar 8, 2025 12:17:20.408909082 CET463825555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:20.410697937 CET463825555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:20.415781975 CET5555463825.252.177.18192.168.2.13
      Mar 8, 2025 12:17:20.416049004 CET463825555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:20.421073914 CET5555463825.252.177.18192.168.2.13
      Mar 8, 2025 12:17:41.789048910 CET5555463825.252.177.18192.168.2.13
      Mar 8, 2025 12:17:41.789621115 CET463825555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:41.794965029 CET5555463825.252.177.18192.168.2.13
      Mar 8, 2025 12:17:42.795485020 CET463845555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:42.899295092 CET5555463845.252.177.18192.168.2.13
      Mar 8, 2025 12:17:42.899519920 CET463845555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:42.902257919 CET463845555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:42.907497883 CET5555463845.252.177.18192.168.2.13
      Mar 8, 2025 12:17:42.907653093 CET463845555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:42.912678957 CET5555463845.252.177.18192.168.2.13
      Mar 8, 2025 12:17:52.912612915 CET463845555192.168.2.135.252.177.18
      Mar 8, 2025 12:17:52.918139935 CET5555463845.252.177.18192.168.2.13
      Mar 8, 2025 12:18:04.273441076 CET5555463845.252.177.18192.168.2.13
      Mar 8, 2025 12:18:04.273817062 CET463845555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:04.279304981 CET5555463845.252.177.18192.168.2.13
      Mar 8, 2025 12:18:05.279061079 CET463865555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:05.284415007 CET5555463865.252.177.18192.168.2.13
      Mar 8, 2025 12:18:05.284502029 CET463865555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:05.286891937 CET463865555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:05.292272091 CET5555463865.252.177.18192.168.2.13
      Mar 8, 2025 12:18:05.292349100 CET463865555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:05.297837973 CET5555463865.252.177.18192.168.2.13
      Mar 8, 2025 12:18:26.650547028 CET5555463865.252.177.18192.168.2.13
      Mar 8, 2025 12:18:26.651256084 CET463865555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:26.656356096 CET5555463865.252.177.18192.168.2.13
      Mar 8, 2025 12:18:27.657265902 CET463885555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:27.662559032 CET5555463885.252.177.18192.168.2.13
      Mar 8, 2025 12:18:27.662640095 CET463885555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:27.665270090 CET463885555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:27.670461893 CET5555463885.252.177.18192.168.2.13
      Mar 8, 2025 12:18:27.670526028 CET463885555192.168.2.135.252.177.18
      Mar 8, 2025 12:18:27.675575972 CET5555463885.252.177.18192.168.2.13

      System Behavior

      Start time (UTC):11:16:34
      Start date (UTC):08/03/2025
      Path:/tmp/mips.elf
      Arguments:/tmp/mips.elf
      File size:5777432 bytes
      MD5 hash:0083f1f0e77be34ad27f849842bbb00c

      Start time (UTC):11:16:34
      Start date (UTC):08/03/2025
      Path:/tmp/mips.elf
      Arguments:-
      File size:5777432 bytes
      MD5 hash:0083f1f0e77be34ad27f849842bbb00c