Linux Analysis Report uRQVqbl0sQ

Overview

General Information

Sample Name: uRQVqbl0sQ
Analysis ID: 519456
MD5: b3912b6cc3cc37dedb72c478cb3b8a11
SHA1: dcf11bf6eb7dc7cb78cc4b1155539a61946682be
SHA256: 0d6118773c685f8e28933621ea9069678136d09a361babf004229ea414aa89ab
Tags: 32elfmirairenesas
Infos:

Detection

Mirai
Score: 92
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Uses known network protocols on non-standard ports
Yara signature match
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample tries to kill a process (SIGKILL)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: uRQVqbl0sQ Avira: detected

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40684
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 67.213.246.144:23 -> 192.168.2.23:39470
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 67.213.246.144:23 -> 192.168.2.23:39470
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 67.213.246.144:23 -> 192.168.2.23:39492
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 67.213.246.144:23 -> 192.168.2.23:39492
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40716
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 67.213.246.144:23 -> 192.168.2.23:39508
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 67.213.246.144:23 -> 192.168.2.23:39508
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40738
Source: Traffic Snort IDS: 716 INFO TELNET access 149.62.33.181:23 -> 192.168.2.23:34596
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40794
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45350
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45354
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45360
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 78.30.62.247:23 -> 192.168.2.23:45360
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 78.30.62.247:23 -> 192.168.2.23:45360
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45436
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40910
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 78.30.62.247:23 -> 192.168.2.23:45436
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 78.30.62.247:23 -> 192.168.2.23:45436
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49082
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49086
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 67.213.246.144:23 -> 192.168.2.23:39706
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 67.213.246.144:23 -> 192.168.2.23:39706
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45512
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49134
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 67.213.246.144:23 -> 192.168.2.23:39754
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 67.213.246.144:23 -> 192.168.2.23:39754
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 78.30.62.247:23 -> 192.168.2.23:45512
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 78.30.62.247:23 -> 192.168.2.23:45512
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40978
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49140
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49144
Source: Traffic Snort IDS: 716 INFO TELNET access 149.62.33.181:23 -> 192.168.2.23:34778
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45530
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49150
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 78.30.62.247:23 -> 192.168.2.23:45530
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 78.30.62.247:23 -> 192.168.2.23:45530
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49156
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:40998
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49168
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45554
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45558
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45560
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49186
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 78.30.62.247:23 -> 192.168.2.23:45560
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 78.30.62.247:23 -> 192.168.2.23:45560
Source: Traffic Snort IDS: 716 INFO TELNET access 112.11.76.207:23 -> 192.168.2.23:49194
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:41032
Source: Traffic Snort IDS: 716 INFO TELNET access 78.30.62.247:23 -> 192.168.2.23:45582
Source: Traffic Snort IDS: 492 INFO TELNET login failed 61.236.85.105:23 -> 192.168.2.23:41038
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 78.30.62.247:23 -> 192.168.2.23:45582
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 78.30.62.247:23 -> 192.168.2.23:45582
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.97.96:23 -> 192.168.2.23:39360
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.97.96:23 -> 192.168.2.23:39360
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.97.96:23 -> 192.168.2.23:39364
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.97.96:23 -> 192.168.2.23:39364
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.97.96:23 -> 192.168.2.23:39368
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.97.96:23 -> 192.168.2.23:39368
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 83.1.97.96:23 -> 192.168.2.23:39370
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 83.1.97.96:23 -> 192.168.2.23:39370
Source: Traffic Snort IDS: 716 INFO TELNET access 149.62.33.181:23 -> 192.168.2.23:34848
Source: Traffic Snort IDS: 716 INFO TELNET access 149.62.33.181:23 -> 192.168.2.23:34890
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 114.32.113.9:23 -> 192.168.2.23:44268
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 114.32.113.9:23 -> 192.168.2.23:44268
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 212.110.2.14:23 -> 192.168.2.23:34654
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 212.110.2.14:23 -> 192.168.2.23:34654
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 178.44.228.47:23 -> 192.168.2.23:40356
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 178.44.228.47:23 -> 192.168.2.23:40356
Source: Traffic Snort IDS: 716 INFO TELNET access 149.62.33.181:23 -> 192.168.2.23:35036
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 212.110.2.14:23 -> 192.168.2.23:34718
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 212.110.2.14:23 -> 192.168.2.23:34718
Source: Traffic Snort IDS: 716 INFO TELNET access 213.149.219.222:23 -> 192.168.2.23:50296
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 212.110.2.14:23 -> 192.168.2.23:34732
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 212.110.2.14:23 -> 192.168.2.23:34732
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 212.110.2.14:23 -> 192.168.2.23:34762
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 212.110.2.14:23 -> 192.168.2.23:34762
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51768
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51770
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51772
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51776
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51778
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51782
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51786
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51792
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51794
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51798
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:40320 -> 163.172.183.97:9375
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 163.172.183.97
Source: unknown TCP traffic detected without corresponding DNS query: 41.175.114.187
Source: unknown TCP traffic detected without corresponding DNS query: 92.121.55.1
Source: unknown TCP traffic detected without corresponding DNS query: 45.240.225.198
Source: unknown TCP traffic detected without corresponding DNS query: 243.32.96.9
Source: unknown TCP traffic detected without corresponding DNS query: 181.49.232.32
Source: unknown TCP traffic detected without corresponding DNS query: 191.64.176.161
Source: unknown TCP traffic detected without corresponding DNS query: 118.20.171.2
Source: unknown TCP traffic detected without corresponding DNS query: 71.105.232.154
Source: unknown TCP traffic detected without corresponding DNS query: 66.28.35.220
Source: unknown TCP traffic detected without corresponding DNS query: 125.50.154.90
Source: unknown TCP traffic detected without corresponding DNS query: 44.176.173.44
Source: unknown TCP traffic detected without corresponding DNS query: 122.232.166.192
Source: unknown TCP traffic detected without corresponding DNS query: 194.252.133.93
Source: unknown TCP traffic detected without corresponding DNS query: 73.114.203.42
Source: unknown TCP traffic detected without corresponding DNS query: 82.105.141.65
Source: unknown TCP traffic detected without corresponding DNS query: 151.104.16.3
Source: unknown TCP traffic detected without corresponding DNS query: 154.122.144.32
Source: unknown TCP traffic detected without corresponding DNS query: 20.18.193.92
Source: unknown TCP traffic detected without corresponding DNS query: 133.87.253.10
Source: unknown TCP traffic detected without corresponding DNS query: 47.90.53.222
Source: unknown TCP traffic detected without corresponding DNS query: 32.159.29.128
Source: unknown TCP traffic detected without corresponding DNS query: 126.192.190.83
Source: unknown TCP traffic detected without corresponding DNS query: 173.128.115.46
Source: unknown TCP traffic detected without corresponding DNS query: 167.127.24.63
Source: unknown TCP traffic detected without corresponding DNS query: 195.80.84.105
Source: unknown TCP traffic detected without corresponding DNS query: 124.89.236.214
Source: unknown TCP traffic detected without corresponding DNS query: 48.107.96.33
Source: unknown TCP traffic detected without corresponding DNS query: 183.132.23.88
Source: unknown TCP traffic detected without corresponding DNS query: 60.165.240.124
Source: unknown TCP traffic detected without corresponding DNS query: 207.187.146.250
Source: unknown TCP traffic detected without corresponding DNS query: 162.209.241.185
Source: unknown TCP traffic detected without corresponding DNS query: 126.164.205.54
Source: unknown TCP traffic detected without corresponding DNS query: 177.111.58.238
Source: unknown TCP traffic detected without corresponding DNS query: 194.90.177.206
Source: unknown TCP traffic detected without corresponding DNS query: 14.227.101.196
Source: unknown TCP traffic detected without corresponding DNS query: 40.226.21.253
Source: unknown TCP traffic detected without corresponding DNS query: 73.186.118.21
Source: unknown TCP traffic detected without corresponding DNS query: 181.156.178.46
Source: unknown TCP traffic detected without corresponding DNS query: 141.84.154.44
Source: unknown TCP traffic detected without corresponding DNS query: 150.233.49.113
Source: unknown TCP traffic detected without corresponding DNS query: 252.53.171.234
Source: unknown TCP traffic detected without corresponding DNS query: 172.212.185.89
Source: unknown TCP traffic detected without corresponding DNS query: 98.22.228.111
Source: unknown TCP traffic detected without corresponding DNS query: 191.179.103.79
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.190.66
Source: unknown TCP traffic detected without corresponding DNS query: 164.250.116.194
Source: unknown TCP traffic detected without corresponding DNS query: 17.66.197.210
Source: unknown TCP traffic detected without corresponding DNS query: 199.21.28.148

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: uRQVqbl0sQ, type: SAMPLE Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: uRQVqbl0sQ, type: SAMPLE Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Yara signature match
Source: uRQVqbl0sQ, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: uRQVqbl0sQ, type: SAMPLE Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: uRQVqbl0sQ, type: SAMPLE Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5257.1.0000000021824ec1.000000001e5cec84.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5248.1.0000000021824ec1.000000001e5cec84.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5251.1.0000000021824ec1.000000001e5cec84.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/uRQVqbl0sQ (PID: 5250) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5256) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: classification engine Classification label: mal92.troj.lin@0/0@0/0
Source: uRQVqbl0sQ Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link

Persistence and Installation Behavior:

barindex
Enumerates processes within the "proc" file system
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5141/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5263/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/910/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5258/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/912/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/517/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/759/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/918/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4460/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4461/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4464/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5157/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/761/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/884/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/800/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/801/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5149/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4458/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4459/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/491/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5161/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/772/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/774/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/654/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/896/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/655/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/656/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/777/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/657/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/658/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/419/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/936/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4482/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4485/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5213/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/420/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/785/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1642/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/788/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/667/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/789/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/5207/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/1648/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2191/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/4495/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2078/exe Jump to behavior
Source: /tmp/uRQVqbl0sQ (PID: 5250) File opened: /proc/2077/exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51768
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51770
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51772
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51776
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51778
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51782
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51786
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51792
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51794
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51798

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/uRQVqbl0sQ (PID: 5248) Queries kernel information via 'uname': Jump to behavior
Source: uRQVqbl0sQ, 5248.1.000000006201dacc.00000000a8f5863d.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: uRQVqbl0sQ, 5248.1.000000006201dacc.00000000a8f5863d.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/uRQVqbl0sQSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uRQVqbl0sQ
Source: uRQVqbl0sQ, 5248.1.000000006b334927.00000000caa04d9f.rw-.sdmp Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: uRQVqbl0sQ, 5248.1.000000006b334927.00000000caa04d9f.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: uRQVqbl0sQ, type: SAMPLE
Source: Yara match File source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: uRQVqbl0sQ, type: SAMPLE
Source: Yara match File source: 5248.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5251.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5257.1.000000008e3e6270.00000000577ea06f.r-x.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs