Linux Analysis Report
.i.elf

Overview

General Information

Sample name:	.i.elf
Analysis ID:	1669005
MD5:	4e6cf38ca04c64bbbc0de39518340fa3
SHA1:	b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256:	a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Executes the "iptables" command to insert, remove and/or manipulate rules

Opens /proc/net/* files useful for finding connected devices and routers

Sample deletes itself

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: .i.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: .i.elf	Virustotal: Detection: 53%			Perma Link
Source: .i.elf	ReversingLabs: Detection: 50%

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/.i.elf (PID: 5414)

Opens: /proc/net/route

Jump to behavior

Networking

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5424)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.221.103.244:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 67.215.246.10:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.140.117.203:4093
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 5.3.252.254:26761
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 77.172.35.225:27542
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 14.192.214.208:12423
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 80.11.235.118:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 181.42.46.105:37746
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.193.152.141:45956
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.240.69.24:55604
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.139.172.241:37982
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 103.199.205.126:53324
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 177.52.82.94:12999
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 117.24.165.173:25324
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 117.24.165.65:36141
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 124.91.148.108:33676
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 119.34.160.228:12298
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 58.241.139.153:6887
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 2.103.108.201:55642
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 81.101.129.89:27596
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 112.118.83.13:11018
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 148.71.121.183:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 178.247.145.191:23759
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.255.55.114:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 109.94.85.146:62788
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.192.20.140:5889
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 211.48.88.198:33231
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 78.85.4.135:4609
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 213.94.41.136:22535
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 41.193.87.152:26584
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 201.188.189.46:51145
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 195.98.68.52:1313
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.175.39.237:25921
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.239.227.43:1797
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 99.240.197.244:61706
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 45.238.183.98:8983
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.177.128.82:1793
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 68.226.67.22:54102
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.56.32.232:50639
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 98.209.107.208:47204
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 90.201.53.148:56521
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.39.237.234:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 83.222.166.141:20550
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 213.80.212.27:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 54.70.174.84:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 199.45.219.152:16495
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 179.96.135.23:23860
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 92.16.182.203:36939
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 144.76.166.157:50000
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.129.211.64:47778
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 187.190.166.141:1642
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 198.162.193.189:63259
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 177.52.48.235:3476
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.50.89.36:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.2.115.47:35216
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.65.232.39:50118
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 2.183.108.235:42399
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.101.84.250:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 176.226.202.11:26359
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.148.125.188:7777
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.121.7.132:51413
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.190.191.74:38004
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 94.68.18.162:53262
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.196.45.102:4124
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 31.60.104.7:6026
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.26.87.94:35380
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.89.244.83:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.185.46.91:46886
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 175.204.168.7:40736
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 144.217.181.115:63949
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 222.187.254.73:17207
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 54.77.218.23:6992
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 106.14.195.230:11159

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5424)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Reads the 'hosts' file potentially containing internal network hosts

Source: /tmp/.i.elf (PID: 5416)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown	UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown	UDP traffic detected without corresponding DNS query: 181.42.46.105
Source: unknown	UDP traffic detected without corresponding DNS query: 190.193.152.141
Source: unknown	UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown	UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown	UDP traffic detected without corresponding DNS query: 189.139.172.241
Source: unknown	UDP traffic detected without corresponding DNS query: 103.199.205.126
Source: unknown	UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown	UDP traffic detected without corresponding DNS query: 177.52.82.94
Source: unknown	UDP traffic detected without corresponding DNS query: 117.24.165.173
Source: unknown	UDP traffic detected without corresponding DNS query: 117.24.165.65
Source: unknown	UDP traffic detected without corresponding DNS query: 124.91.148.108
Source: unknown	UDP traffic detected without corresponding DNS query: 119.34.160.228
Source: unknown	UDP traffic detected without corresponding DNS query: 58.241.139.153
Source: unknown	UDP traffic detected without corresponding DNS query: 2.103.108.201
Source: unknown	UDP traffic detected without corresponding DNS query: 81.101.129.89
Source: unknown	UDP traffic detected without corresponding DNS query: 112.118.83.13
Source: unknown	UDP traffic detected without corresponding DNS query: 148.71.121.183
Source: unknown	UDP traffic detected without corresponding DNS query: 178.247.145.191
Source: unknown	UDP traffic detected without corresponding DNS query: 188.255.55.114
Source: unknown	UDP traffic detected without corresponding DNS query: 109.94.85.146
Source: unknown	UDP traffic detected without corresponding DNS query: 91.192.20.140
Source: unknown	UDP traffic detected without corresponding DNS query: 211.48.88.198
Source: unknown	UDP traffic detected without corresponding DNS query: 78.85.4.135
Source: unknown	UDP traffic detected without corresponding DNS query: 213.94.41.136
Source: unknown	UDP traffic detected without corresponding DNS query: 41.193.87.152
Source: unknown	UDP traffic detected without corresponding DNS query: 201.188.189.46
Source: unknown	UDP traffic detected without corresponding DNS query: 195.98.68.52
Source: unknown	UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown	UDP traffic detected without corresponding DNS query: 91.175.39.237
Source: unknown	UDP traffic detected without corresponding DNS query: 91.239.227.43
Source: unknown	UDP traffic detected without corresponding DNS query: 99.240.197.244
Source: unknown	UDP traffic detected without corresponding DNS query: 45.238.183.98
Source: unknown	UDP traffic detected without corresponding DNS query: 79.177.128.82
Source: unknown	UDP traffic detected without corresponding DNS query: 68.226.67.22
Source: unknown	UDP traffic detected without corresponding DNS query: 190.56.32.232
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 98.209.107.208
Source: unknown	UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown	UDP traffic detected without corresponding DNS query: 90.201.53.148
Source: unknown	UDP traffic detected without corresponding DNS query: 82.39.237.234
Source: unknown	UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown	UDP traffic detected without corresponding DNS query: 195.98.68.52

Source: global traffic	DNS traffic detected: DNS query: router.utorrent.com
Source: global traffic	DNS traffic detected: DNS query: router.bittorrent.com
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Source: classification engine

Classification label: mal76.spre.troj.evad.linELF@0/1@4/0

Persistence and Installation Behavior

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5424)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Creates hidden files and/or directories

Source: /tmp/.i.elf (PID: 5416)

Directory: /tmp/.p

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/914/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3095/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1588/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1906/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/802/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/803/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3420/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1482/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/490/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1480/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/255/cmdline	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/.i.elf (PID: 5418)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5430)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5436)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5442)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5450)	Shell command executed: sh -c "iptables -D INPUT -j CWMP_CR"	Jump to behavior
Source: /tmp/.i.elf (PID: 5456)	Shell command executed: sh -c "iptables -X CWMP_CR"	Jump to behavior
Source: /tmp/.i.elf (PID: 5462)	Shell command executed: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5424)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Source: submitted sample

Stderr: iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.iptables: No chain/target/match by that name.: exit code = 0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/.i.elf (PID: 5416)

File: /tmp/.i.elf

Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: .i.elf

Submission file: segment LOAD with 7.9807 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/.i.elf (PID: 5414)

Queries kernel information via 'uname':

Jump to behavior

Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp	Binary or memory string: ;V!/etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp	Binary or memory string: 3x86_64/usr/bin/qemu-mipsel/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
119.34.160.228	unknown	China	17622	CNCGROUP-GZChinaUnicomGuangzhounetworkCN	false
189.129.211.64	unknown	Mexico	8151	UninetSAdeCVMX	false
189.139.172.241	unknown	Mexico	8151	UninetSAdeCVMX	false
181.42.46.105	unknown	Chile	27651	ENTELCHILESACL	false
195.98.68.52	unknown	Russian Federation	6856	IC-VORONEZH-ASInformsvyaz-ChernozemyeRU	false
31.60.104.7	unknown	Poland	5617	TPNETPL	false
99.240.197.244	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
78.85.4.135	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
14.192.214.208	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	false
80.11.235.118	unknown	France	3215	FranceTelecom-OrangeFR	false
187.190.166.141	unknown	Mexico	17072	TOTALPLAYTELECOMUNICACIONESSADECVMX	false
177.52.82.94	unknown	Brazil	262439	JARDNETINFORMATICALTDA-EPPBR	false
79.190.191.74	unknown	Poland	5617	TPNETPL	false
77.172.35.225	unknown	Netherlands	1136	KPNKPNNationalEU	false
190.56.32.232	unknown	Guatemala	14754	TelguaGT	false
199.45.219.152	unknown	United States	2379	CENTURYLINK-LEGACY-EMBARQ-WNPKUS	false
58.241.139.153	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
190.101.84.250	unknown	Chile	22047	VTRBANDAANCHASACL	false
41.193.87.152	unknown	South Africa	11845	Vox-TelecomZA	false
5.3.252.254	unknown	Russian Federation	50543	SARATOV-ASRU	false
79.177.128.82	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	false
222.187.254.73	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
81.101.129.89	unknown	United Kingdom	5089	NTLGB	false
113.148.125.188	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
144.217.181.115	unknown	Canada	16276	OVHFR	false
109.94.85.146	unknown	Russian Federation	50060	ANNETRU	false
190.240.69.24	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
190.193.152.141	unknown	Argentina	10481	TelecomArgentinaSAAR	false
117.24.165.173	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
179.96.135.23	unknown	Brazil	28634	LifeTecnologiaLtdaBR	false
82.221.103.244	router.utorrent.com	Iceland	50613	THORDC-ASIS	false
113.89.244.83	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
188.2.115.47	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	false
148.71.121.183	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	false
54.70.174.84	unknown	United States	16509	AMAZON-02US	false
198.162.193.189	unknown	United States	46231	WATCHCOMM-INUS	false
79.185.46.91	unknown	Poland	5617	TPNETPL	false
176.226.202.11	unknown	Russian Federation	8369	INTERSVYAZ-AS38-BKomsomolskyprospektRU	false
92.16.182.203	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
117.24.165.65	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
177.52.48.235	unknown	Brazil	28198	IsimplesTelecomeHardwareLtdaBR	false
91.192.20.140	unknown	Russian Federation	42291	ISTRANET-ASIstranetLLCASRU	false
91.121.7.132	unknown	France	16276	OVHFR	false
2.103.108.201	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
45.238.183.98	unknown	Colombia	266860	CONEXIONDIGITALEXPRESSSASCO	false
82.39.237.234	unknown	United Kingdom	5089	NTLGB	false
68.226.67.22	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
213.94.41.136	unknown	Spain	3313	INET-ASIT	false
189.196.45.102	unknown	Mexico	13999	MegaCableSAdeCVMX	false
175.204.168.7	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
54.77.218.23	unknown	United States	16509	AMAZON-02US	false
144.76.166.157	unknown	Germany	24940	HETZNER-ASDE	false
113.26.87.94	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
79.140.117.203	unknown	Germany	15366	DNSNETGermanInternetServiceProvidersDE	false
201.188.189.46	unknown	Chile	7418	TELEFONICACHILESACL	false
213.80.212.27	unknown	Russian Federation	15974	VTT-ASISPSaratovRussiaRU	false
124.91.148.108	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
211.48.88.198	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
67.215.246.10	router.bittorrent.com	United States	8100	ASN-QUADRANET-GLOBALUS	false
83.222.166.141	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
91.175.39.237	unknown	France	12322	PROXADFR	false
103.199.205.126	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
106.14.195.230	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
112.118.83.13	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
91.239.227.43	unknown	unknown	14576	HOSTING-SOLUTIONSUS	false
178.247.145.191	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
98.209.107.208	unknown	United States	7922	COMCAST-7922US	false
82.50.89.36	unknown	Italy	3269	ASN-IBSNAZIT	false
94.68.18.162	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
2.183.108.235	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
90.201.53.148	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
188.65.232.39	unknown	Russian Federation	38984	M9COM-ASRU	false
188.255.55.114	unknown	Russian Federation	42610	NCNET-ASRU	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.24	true
router.bittorrent.com	67.215.246.10	true
router.utorrent.com	82.221.103.244	true

Name	Type	MD5	SHA1	SHA256
/tmp/qemu-open.FTTWRK (deleted)	data	E4B87097E4B36E14500B9CE57C45EA25	DE3D58C12CA45D58E41455D0B693AF835D7F7361	7AD8A46FA4EADA251D0628721EEA0DE6EA917EC6B820146172179FFA68FC44A8

AV Detection

Antivirus / Scanner detection for submitted sample

Source: .i.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: .i.elf	Virustotal: Detection: 53%			Perma Link
Source: .i.elf	ReversingLabs: Detection: 50%

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/.i.elf (PID: 5414)

Opens: /proc/net/route

Jump to behavior

Networking

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5424)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.221.103.244:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 67.215.246.10:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.140.117.203:4093
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 5.3.252.254:26761
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 77.172.35.225:27542
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 14.192.214.208:12423
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 80.11.235.118:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 181.42.46.105:37746
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.193.152.141:45956
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.240.69.24:55604
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.139.172.241:37982
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 103.199.205.126:53324
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 177.52.82.94:12999
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 117.24.165.173:25324
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 117.24.165.65:36141
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 124.91.148.108:33676
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 119.34.160.228:12298
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 58.241.139.153:6887
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 2.103.108.201:55642
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 81.101.129.89:27596
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 112.118.83.13:11018
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 148.71.121.183:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 178.247.145.191:23759
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.255.55.114:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 109.94.85.146:62788
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.192.20.140:5889
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 211.48.88.198:33231
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 78.85.4.135:4609
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 213.94.41.136:22535
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 41.193.87.152:26584
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 201.188.189.46:51145
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 195.98.68.52:1313
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.175.39.237:25921
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.239.227.43:1797
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 99.240.197.244:61706
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 45.238.183.98:8983
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.177.128.82:1793
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 68.226.67.22:54102
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.56.32.232:50639
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 98.209.107.208:47204
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 90.201.53.148:56521
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.39.237.234:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 83.222.166.141:20550
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 213.80.212.27:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 54.70.174.84:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 199.45.219.152:16495
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 179.96.135.23:23860
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 92.16.182.203:36939
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 144.76.166.157:50000
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.129.211.64:47778
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 187.190.166.141:1642
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 198.162.193.189:63259
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 177.52.48.235:3476
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 82.50.89.36:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.2.115.47:35216
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 188.65.232.39:50118
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 2.183.108.235:42399
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 190.101.84.250:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 176.226.202.11:26359
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.148.125.188:7777
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 91.121.7.132:51413
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.190.191.74:38004
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 94.68.18.162:53262
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 189.196.45.102:4124
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 31.60.104.7:6026
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.26.87.94:35380
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 113.89.244.83:6881
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 79.185.46.91:46886
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 175.204.168.7:40736
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 144.217.181.115:63949
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 222.187.254.73:17207
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 54.77.218.23:6992
Source: global traffic	UDP traffic: 192.168.2.13:11002 -> 106.14.195.230:11159

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5424)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Reads the 'hosts' file potentially containing internal network hosts

Source: /tmp/.i.elf (PID: 5416)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown	UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown	UDP traffic detected without corresponding DNS query: 181.42.46.105
Source: unknown	UDP traffic detected without corresponding DNS query: 190.193.152.141
Source: unknown	UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown	UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown	UDP traffic detected without corresponding DNS query: 189.139.172.241
Source: unknown	UDP traffic detected without corresponding DNS query: 103.199.205.126
Source: unknown	UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown	UDP traffic detected without corresponding DNS query: 177.52.82.94
Source: unknown	UDP traffic detected without corresponding DNS query: 117.24.165.173
Source: unknown	UDP traffic detected without corresponding DNS query: 117.24.165.65
Source: unknown	UDP traffic detected without corresponding DNS query: 124.91.148.108
Source: unknown	UDP traffic detected without corresponding DNS query: 119.34.160.228
Source: unknown	UDP traffic detected without corresponding DNS query: 58.241.139.153
Source: unknown	UDP traffic detected without corresponding DNS query: 2.103.108.201
Source: unknown	UDP traffic detected without corresponding DNS query: 81.101.129.89
Source: unknown	UDP traffic detected without corresponding DNS query: 112.118.83.13
Source: unknown	UDP traffic detected without corresponding DNS query: 148.71.121.183
Source: unknown	UDP traffic detected without corresponding DNS query: 178.247.145.191
Source: unknown	UDP traffic detected without corresponding DNS query: 188.255.55.114
Source: unknown	UDP traffic detected without corresponding DNS query: 109.94.85.146
Source: unknown	UDP traffic detected without corresponding DNS query: 91.192.20.140
Source: unknown	UDP traffic detected without corresponding DNS query: 211.48.88.198
Source: unknown	UDP traffic detected without corresponding DNS query: 78.85.4.135
Source: unknown	UDP traffic detected without corresponding DNS query: 213.94.41.136
Source: unknown	UDP traffic detected without corresponding DNS query: 41.193.87.152
Source: unknown	UDP traffic detected without corresponding DNS query: 201.188.189.46
Source: unknown	UDP traffic detected without corresponding DNS query: 195.98.68.52
Source: unknown	UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown	UDP traffic detected without corresponding DNS query: 91.175.39.237
Source: unknown	UDP traffic detected without corresponding DNS query: 91.239.227.43
Source: unknown	UDP traffic detected without corresponding DNS query: 99.240.197.244
Source: unknown	UDP traffic detected without corresponding DNS query: 45.238.183.98
Source: unknown	UDP traffic detected without corresponding DNS query: 79.177.128.82
Source: unknown	UDP traffic detected without corresponding DNS query: 68.226.67.22
Source: unknown	UDP traffic detected without corresponding DNS query: 190.56.32.232
Source: unknown	UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown	UDP traffic detected without corresponding DNS query: 98.209.107.208
Source: unknown	UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown	UDP traffic detected without corresponding DNS query: 90.201.53.148
Source: unknown	UDP traffic detected without corresponding DNS query: 82.39.237.234
Source: unknown	UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown	UDP traffic detected without corresponding DNS query: 195.98.68.52

Source: global traffic	DNS traffic detected: DNS query: router.utorrent.com
Source: global traffic	DNS traffic detected: DNS query: router.bittorrent.com
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Source: classification engine

Classification label: mal76.spre.troj.evad.linELF@0/1@4/0

Persistence and Installation Behavior

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5424)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Creates hidden files and/or directories

Source: /tmp/.i.elf (PID: 5416)

Directory: /tmp/.p

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/914/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/917/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3095/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1588/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/800/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1906/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/802/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/803/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/3420/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1482/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/490/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1480/fd	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/.i.elf (PID: 5416)	File opened: /proc/255/cmdline	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/.i.elf (PID: 5418)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5430)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5436)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5442)	Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"	Jump to behavior
Source: /tmp/.i.elf (PID: 5450)	Shell command executed: sh -c "iptables -D INPUT -j CWMP_CR"	Jump to behavior
Source: /tmp/.i.elf (PID: 5456)	Shell command executed: sh -c "iptables -X CWMP_CR"	Jump to behavior
Source: /tmp/.i.elf (PID: 5462)	Shell command executed: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT"	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5424)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5435)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5441)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5447)	Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5461)	Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR	Jump to behavior
Source: /bin/sh (PID: 5467)	Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT	Jump to behavior

Source: submitted sample

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/.i.elf (PID: 5416)

File: /tmp/.i.elf

Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: .i.elf

Submission file: segment LOAD with 7.9807 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/.i.elf (PID: 5414)

Queries kernel information via 'uname':

Jump to behavior

Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp	Binary or memory string: ;V!/etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp	Binary or memory string: 3x86_64/usr/bin/qemu-mipsel/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

ID:	1669005
Product:	CloudBasic
Start time:	04:09:24
Start date:	19.04.2025
Sample:	.i.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	4e6cf38ca04c64bbbc0de39518340fa3
SHA1:	b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256:	a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
.i.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report .i.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
.i.elf

Malware Threat Intel
Provided by