Linux Analysis Report
.i.elf

Overview

General Information

Sample name: .i.elf
Analysis ID: 1669005
MD5: 4e6cf38ca04c64bbbc0de39518340fa3
SHA1: b43aa81c8fe3f4b520a1c53557c8e477100530e1
SHA256: a625601d8fe1f59102fcec617bbf4afa1f81ee305d5e8b93822541a65f7ea498
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "iptables" command to insert, remove and/or manipulate rules
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
Reads the 'hosts' file potentially containing internal network hosts
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection

barindex
Source: .i.elf Avira: detected
Source: .i.elf Virustotal: Detection: 53% Perma Link
Source: .i.elf ReversingLabs: Detection: 50%

Spreading

barindex
Source: /tmp/.i.elf (PID: 5414) Opens: /proc/net/route Jump to behavior

Networking

barindex
Source: /bin/sh (PID: 5424) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP Jump to behavior
Source: /bin/sh (PID: 5435) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5441) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP Jump to behavior
Source: /bin/sh (PID: 5447) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP Jump to behavior
Source: /bin/sh (PID: 5455) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5461) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5467) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT Jump to behavior
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 82.221.103.244:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 67.215.246.10:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 79.140.117.203:4093
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 5.3.252.254:26761
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 77.172.35.225:27542
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 14.192.214.208:12423
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 80.11.235.118:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 181.42.46.105:37746
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 190.193.152.141:45956
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 190.240.69.24:55604
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 189.139.172.241:37982
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 103.199.205.126:53324
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 177.52.82.94:12999
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 117.24.165.173:25324
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 117.24.165.65:36141
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 124.91.148.108:33676
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 119.34.160.228:12298
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 58.241.139.153:6887
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 2.103.108.201:55642
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 81.101.129.89:27596
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 112.118.83.13:11018
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 148.71.121.183:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 178.247.145.191:23759
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 188.255.55.114:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 109.94.85.146:62788
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 91.192.20.140:5889
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 211.48.88.198:33231
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 78.85.4.135:4609
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 213.94.41.136:22535
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 41.193.87.152:26584
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 201.188.189.46:51145
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 195.98.68.52:1313
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 91.175.39.237:25921
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 91.239.227.43:1797
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 99.240.197.244:61706
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 45.238.183.98:8983
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 79.177.128.82:1793
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 68.226.67.22:54102
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 190.56.32.232:50639
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 98.209.107.208:47204
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 90.201.53.148:56521
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 82.39.237.234:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 83.222.166.141:20550
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 213.80.212.27:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 54.70.174.84:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 199.45.219.152:16495
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 179.96.135.23:23860
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 92.16.182.203:36939
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 144.76.166.157:50000
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 189.129.211.64:47778
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 187.190.166.141:1642
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 198.162.193.189:63259
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 177.52.48.235:3476
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 82.50.89.36:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 188.2.115.47:35216
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 188.65.232.39:50118
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 2.183.108.235:42399
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 190.101.84.250:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 176.226.202.11:26359
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 113.148.125.188:7777
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 91.121.7.132:51413
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 79.190.191.74:38004
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 94.68.18.162:53262
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 189.196.45.102:4124
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 31.60.104.7:6026
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 113.26.87.94:35380
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 113.89.244.83:6881
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 79.185.46.91:46886
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 175.204.168.7:40736
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 144.217.181.115:63949
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 222.187.254.73:17207
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 54.77.218.23:6992
Source: global traffic UDP traffic: 192.168.2.13:11002 -> 106.14.195.230:11159
Source: /bin/sh (PID: 5424) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP Jump to behavior
Source: /bin/sh (PID: 5435) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5441) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP Jump to behavior
Source: /bin/sh (PID: 5447) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP Jump to behavior
Source: /bin/sh (PID: 5455) Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5461) Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5467) Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT Jump to behavior
Source: /tmp/.i.elf (PID: 5416) Reads hosts file: /etc/hosts Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown UDP traffic detected without corresponding DNS query: 181.42.46.105
Source: unknown UDP traffic detected without corresponding DNS query: 190.193.152.141
Source: unknown UDP traffic detected without corresponding DNS query: 5.3.252.254
Source: unknown UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown UDP traffic detected without corresponding DNS query: 189.139.172.241
Source: unknown UDP traffic detected without corresponding DNS query: 103.199.205.126
Source: unknown UDP traffic detected without corresponding DNS query: 190.240.69.24
Source: unknown UDP traffic detected without corresponding DNS query: 177.52.82.94
Source: unknown UDP traffic detected without corresponding DNS query: 117.24.165.173
Source: unknown UDP traffic detected without corresponding DNS query: 117.24.165.65
Source: unknown UDP traffic detected without corresponding DNS query: 124.91.148.108
Source: unknown UDP traffic detected without corresponding DNS query: 119.34.160.228
Source: unknown UDP traffic detected without corresponding DNS query: 58.241.139.153
Source: unknown UDP traffic detected without corresponding DNS query: 2.103.108.201
Source: unknown UDP traffic detected without corresponding DNS query: 81.101.129.89
Source: unknown UDP traffic detected without corresponding DNS query: 112.118.83.13
Source: unknown UDP traffic detected without corresponding DNS query: 148.71.121.183
Source: unknown UDP traffic detected without corresponding DNS query: 178.247.145.191
Source: unknown UDP traffic detected without corresponding DNS query: 188.255.55.114
Source: unknown UDP traffic detected without corresponding DNS query: 109.94.85.146
Source: unknown UDP traffic detected without corresponding DNS query: 91.192.20.140
Source: unknown UDP traffic detected without corresponding DNS query: 211.48.88.198
Source: unknown UDP traffic detected without corresponding DNS query: 78.85.4.135
Source: unknown UDP traffic detected without corresponding DNS query: 213.94.41.136
Source: unknown UDP traffic detected without corresponding DNS query: 41.193.87.152
Source: unknown UDP traffic detected without corresponding DNS query: 201.188.189.46
Source: unknown UDP traffic detected without corresponding DNS query: 195.98.68.52
Source: unknown UDP traffic detected without corresponding DNS query: 80.11.235.118
Source: unknown UDP traffic detected without corresponding DNS query: 91.175.39.237
Source: unknown UDP traffic detected without corresponding DNS query: 91.239.227.43
Source: unknown UDP traffic detected without corresponding DNS query: 99.240.197.244
Source: unknown UDP traffic detected without corresponding DNS query: 45.238.183.98
Source: unknown UDP traffic detected without corresponding DNS query: 79.177.128.82
Source: unknown UDP traffic detected without corresponding DNS query: 68.226.67.22
Source: unknown UDP traffic detected without corresponding DNS query: 190.56.32.232
Source: unknown UDP traffic detected without corresponding DNS query: 77.172.35.225
Source: unknown UDP traffic detected without corresponding DNS query: 98.209.107.208
Source: unknown UDP traffic detected without corresponding DNS query: 14.192.214.208
Source: unknown UDP traffic detected without corresponding DNS query: 90.201.53.148
Source: unknown UDP traffic detected without corresponding DNS query: 82.39.237.234
Source: unknown UDP traffic detected without corresponding DNS query: 79.140.117.203
Source: unknown UDP traffic detected without corresponding DNS query: 195.98.68.52
Source: global traffic DNS traffic detected: DNS query: router.utorrent.com
Source: global traffic DNS traffic detected: DNS query: router.bittorrent.com
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappings Program segment: 0x100000
Source: classification engine Classification label: mal76.spre.troj.evad.linELF@0/1@4/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 5424) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP Jump to behavior
Source: /bin/sh (PID: 5435) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5441) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP Jump to behavior
Source: /bin/sh (PID: 5447) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP Jump to behavior
Source: /bin/sh (PID: 5455) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5461) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -X CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5467) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT Jump to behavior
Source: /tmp/.i.elf (PID: 5416) Directory: /tmp/.p Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/230/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/231/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/110/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/232/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/111/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/233/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/112/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/234/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/113/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/235/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/114/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/236/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/115/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/237/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/116/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/238/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/117/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/239/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/118/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/119/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/914/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/917/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/10/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/11/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/12/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/13/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/14/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/15/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/16/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/17/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/18/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/19/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/3095/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/3095/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/240/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/241/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/120/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/242/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/121/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/243/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/122/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/244/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/123/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/2/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1588/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/245/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/124/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/3/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/246/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/125/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/4/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/247/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/126/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/5/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/248/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/127/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/6/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/249/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/128/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/7/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/800/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/129/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/8/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1906/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1906/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/9/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/802/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/802/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/803/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/803/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/20/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/21/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/22/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/23/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/24/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/25/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/26/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/27/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/28/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/29/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/3420/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/3420/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1482/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1482/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/490/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/490/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1480/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1480/fd Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/371/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/250/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/251/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/130/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/252/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/131/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/253/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/132/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/1238/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/254/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5416) File opened: /proc/255/cmdline Jump to behavior
Source: /tmp/.i.elf (PID: 5418) Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP" Jump to behavior
Source: /tmp/.i.elf (PID: 5430) Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP" Jump to behavior
Source: /tmp/.i.elf (PID: 5436) Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP" Jump to behavior
Source: /tmp/.i.elf (PID: 5442) Shell command executed: sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP" Jump to behavior
Source: /tmp/.i.elf (PID: 5450) Shell command executed: sh -c "iptables -D INPUT -j CWMP_CR" Jump to behavior
Source: /tmp/.i.elf (PID: 5456) Shell command executed: sh -c "iptables -X CWMP_CR" Jump to behavior
Source: /tmp/.i.elf (PID: 5462) Shell command executed: sh -c "iptables -I INPUT -p udp --dport 11002 -j ACCEPT" Jump to behavior
Source: /bin/sh (PID: 5424) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 23 -j DROP Jump to behavior
Source: /bin/sh (PID: 5435) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5441) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5555 -j DROP Jump to behavior
Source: /bin/sh (PID: 5447) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --destination-port 5358 -j DROP Jump to behavior
Source: /bin/sh (PID: 5455) Iptables executable: /usr/sbin/iptables -> iptables -D INPUT -j CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5461) Iptables executable: /usr/sbin/iptables -> iptables -X CWMP_CR Jump to behavior
Source: /bin/sh (PID: 5467) Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p udp --dport 11002 -j ACCEPT Jump to behavior
Source: submitted sample Stderr: iptables v1.8.4 (legacy): Couldn't load target `CWMP_CR':No such file or directoryTry `iptables -h' or 'iptables --help' for more information.iptables: No chain/target/match by that name.: exit code = 0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/.i.elf (PID: 5416) File: /tmp/.i.elf Jump to behavior
Source: .i.elf Submission file: segment LOAD with 7.9807 entropy (max. 8.0)
Source: /tmp/.i.elf (PID: 5414) Queries kernel information via 'uname': Jump to behavior
Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.0000563b0cac9000.0000563b0cb70000.rw-.sdmp Binary or memory string: ;V!/etc/qemu-binfmt/mipsel
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp Binary or memory string: 3x86_64/usr/bin/qemu-mipsel/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
Source: .i.elf, 5414.1.00007ffeac542000.00007ffeac563000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

barindex
Source: Yara match File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 5414.1.00007fc83c400000.00007fc83c434000.r-x.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs