Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf

Overview

General Information

Sample name: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf
Analysis ID: 1522418
MD5: 2dcf5ba4fbef3d78e91ee3ce72b1c311
SHA1: b90311380234ef4173ca4e6a150917ddf71cfe91
SHA256: 544ae57dece1f369199ed5a020b40328aa29b9693d3f5ff023afd067ae725cf3
Tags: elf
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf ReversingLabs: Detection: 44%
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:38500 -> 91.92.242.153:3778
Sample listens on a socket
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf (PID: 5490) Socket: 127.0.0.1:3296 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.153
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.242.153
Source: unknown TCP traffic detected without corresponding DNS query: 190.149.77.211
Source: unknown TCP traffic detected without corresponding DNS query: 244.115.122.169
Source: unknown TCP traffic detected without corresponding DNS query: 41.228.12.35
Source: unknown TCP traffic detected without corresponding DNS query: 155.250.114.168
Source: unknown TCP traffic detected without corresponding DNS query: 221.162.31.213
Source: unknown TCP traffic detected without corresponding DNS query: 252.195.189.118
Source: unknown TCP traffic detected without corresponding DNS query: 148.246.186.173
Source: unknown TCP traffic detected without corresponding DNS query: 158.227.211.143
Source: unknown TCP traffic detected without corresponding DNS query: 141.249.131.93
Source: unknown TCP traffic detected without corresponding DNS query: 74.174.19.54
Source: unknown TCP traffic detected without corresponding DNS query: 109.97.109.16
Source: unknown TCP traffic detected without corresponding DNS query: 202.254.104.76
Source: unknown TCP traffic detected without corresponding DNS query: 74.178.56.155
Source: unknown TCP traffic detected without corresponding DNS query: 118.185.11.66
Source: unknown TCP traffic detected without corresponding DNS query: 19.172.194.66
Source: unknown TCP traffic detected without corresponding DNS query: 96.1.158.239
Source: unknown TCP traffic detected without corresponding DNS query: 111.156.33.211
Source: unknown TCP traffic detected without corresponding DNS query: 211.159.117.175
Source: unknown TCP traffic detected without corresponding DNS query: 125.171.144.74
Source: unknown TCP traffic detected without corresponding DNS query: 32.133.25.72
Source: unknown TCP traffic detected without corresponding DNS query: 180.247.88.207
Source: unknown TCP traffic detected without corresponding DNS query: 205.255.186.136
Source: unknown TCP traffic detected without corresponding DNS query: 176.134.20.99
Source: unknown TCP traffic detected without corresponding DNS query: 197.8.32.66
Source: unknown TCP traffic detected without corresponding DNS query: 246.238.73.166
Source: unknown TCP traffic detected without corresponding DNS query: 84.82.84.39
Source: unknown TCP traffic detected without corresponding DNS query: 70.28.19.48
Source: unknown TCP traffic detected without corresponding DNS query: 198.3.229.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.57.169.165
Source: unknown TCP traffic detected without corresponding DNS query: 85.60.57.111
Source: unknown TCP traffic detected without corresponding DNS query: 168.104.30.158
Source: unknown TCP traffic detected without corresponding DNS query: 90.228.247.86
Source: unknown TCP traffic detected without corresponding DNS query: 42.47.9.254
Source: unknown TCP traffic detected without corresponding DNS query: 145.243.127.32
Source: unknown TCP traffic detected without corresponding DNS query: 175.167.152.98
Source: unknown TCP traffic detected without corresponding DNS query: 135.103.81.46
Source: unknown TCP traffic detected without corresponding DNS query: 160.162.51.237
Source: unknown TCP traffic detected without corresponding DNS query: 14.136.78.214
Source: unknown TCP traffic detected without corresponding DNS query: 94.143.188.50
Source: unknown TCP traffic detected without corresponding DNS query: 108.145.168.134
Source: unknown TCP traffic detected without corresponding DNS query: 27.211.88.66
Source: unknown TCP traffic detected without corresponding DNS query: 244.91.64.24
Source: unknown TCP traffic detected without corresponding DNS query: 156.188.174.186
Source: unknown TCP traffic detected without corresponding DNS query: 100.18.188.212
Source: unknown TCP traffic detected without corresponding DNS query: 114.229.21.197
Source: unknown TCP traffic detected without corresponding DNS query: 44.219.131.244
Source: unknown TCP traffic detected without corresponding DNS query: 204.174.162.135
Source: unknown TCP traffic detected without corresponding DNS query: 104.253.250.34
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5488.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5488.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5492.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5492.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf PID: 5488, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf PID: 5488, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: 5488.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5488.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5492.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5492.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf PID: 5488, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf PID: 5488, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engine Classification label: mal68.troj.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
ELF contains segments with high entropy indicating compressed/encrypted content
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf Submission file: segment LOAD with 7.8725 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf (PID: 5488) Queries kernel information via 'uname': Jump to behavior
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5488.1.00007ffca054e000.00007ffca056f000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5492.1.00007ffca054e000.00007ffca056f000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5488.1.0000560f3c845000.0000560f3c8cc000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5492.1.0000560f3c845000.0000560f3c8cc000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5488.1.0000560f3c845000.0000560f3c8cc000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5492.1.0000560f3c845000.0000560f3c8cc000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5488.1.00007ffca054e000.00007ffca056f000.rw-.sdmp, SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf, 5492.1.00007ffca054e000.00007ffca056f000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 5488.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5492.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf PID: 5488, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 5488.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5492.1.00007f8a44400000.00007f8a44410000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elf PID: 5488, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
211.250.29.181
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
105.149.226.95
 unknown Morocco
6713 IAM-ASMA false
140.0.175.45
 unknown Indonesia
23700 FASTNET-AS-IDLinknet-FastnetASNID false
43.246.159.174
 unknown India
45415 VASAICABLEPVTLTD-AS-INVasaiCablePvtLtdIN false
85.11.217.244
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
101.215.72.243
 unknown India
58519 CHINATELECOM-CTCLOUDCloudComputingCorporationCN false
254.211.11.146
 unknown Reserved
unknown unknown false
60.249.169.59
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
53.47.55.62
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
175.201.132.21
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
89.59.0.194
 unknown Germany
5430 FREENETDEfreenetDatenkommunikationsGmbHDE false
195.48.37.253
 unknown Switzerland
1836 GREENgreenchAGAutonomousSystemEU false
192.86.180.206
 unknown United States
393773 OPOWERUS false
142.129.222.96
 unknown United States
20001 TWC-20001-PACWESTUS false
187.56.202.109
 unknown Brazil
27699 TELEFONICABRASILSABR false
150.243.50.157
 unknown United States
393750 TRUMAN-STATE-UNIVERSITYUS false
82.97.157.182
 unknown Germany
13101 TNG-ASTNGStadtnetzGmbHDE false
172.141.33.14
 unknown United States
7018 ATT-INTERNET4US false
177.117.217.217
 unknown Brazil
26599 TELEFONICABRASILSABR false
2.240.127.106
 unknown Germany
6805 TDDE-ASN1DE false
31.137.193.26
 unknown Netherlands
15480 VFNL-ASVodafoneNLAutonomousSystemNL false
205.222.37.131
 unknown United States
32073 MCPS-K12-MD-US false
123.21.123.204
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
203.167.126.154
 unknown Philippines
9658 ETPI-IDS-AS-APEasternTelecomsPhilsIncPH false
159.105.30.195
 unknown United States
11577 GOVNET-ASNUS false
166.249.126.179
 unknown United States
22394 CELLCOUS false
78.129.8.194
 unknown Belgium
12392 ASBRUTELEVOOBE false
57.58.125.150
 unknown Belgium
2686 ATGS-MMD-ASUS false
31.174.68.215
 unknown Poland
39603 P4NETP4UMTSoperatorinPolandPL false
164.138.246.4
 unknown France
8218 NEO-ASNlegacyNeotelecomsFR false
17.76.180.25
 unknown United States
714 APPLE-ENGINEERINGUS false
252.253.124.20
 unknown Reserved
unknown unknown false
91.73.77.127
 unknown United Arab Emirates
15802 DU-AS1AE false
193.45.79.247
 unknown Sweden
1299 TELIANETTeliaCarrierEU false
73.57.43.41
 unknown United States
7922 COMCAST-7922US false
216.238.3.63
 unknown United States
46632 SOUTHWEST-ARKANSAS-TELEPHONE-COOPERATIVEUS false
170.56.218.213
 unknown United States
15854 HP_WEBSERVICESDE false
169.129.200.244
 unknown South Africa
37611 AfrihostZA false
241.53.7.44
 unknown Reserved
unknown unknown false
34.45.16.133
 unknown United States
2686 ATGS-MMD-ASUS false
83.213.176.163
 unknown Spain
12338 EUSKALTELES false
94.237.17.217
 unknown Finland
202053 UPCLOUDFI false
191.6.118.24
 unknown Brazil
262753 VOCETELECOMUNICACOESLTDABR false
146.48.19.23
 unknown Italy
137 ASGARRConsortiumGARREU false
209.52.94.129
 unknown Canada
852 ASN852CA false
148.31.43.219
 unknown United States
6400 CompaniaDominicanadeTelefonosSADO false
70.40.224.214
 unknown United States
3663 NETNET-NETUS false
242.78.224.179
 unknown Reserved
unknown unknown false
96.62.177.176
 unknown United States
35908 VPLSNETUS false
254.206.179.34
 unknown Reserved
unknown unknown false
122.153.117.174
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
189.25.108.48
 unknown Brazil
7738 TelemarNorteLesteSABR false
121.148.225.71
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
80.126.125.91
 unknown Netherlands
3265 XS4ALL-NLAmsterdamNL false
40.225.242.28
 unknown United States
4249 LILLY-ASUS false
68.187.177.67
 unknown United States
20115 CHARTER-20115US false
46.83.101.89
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
244.91.64.24
 unknown Reserved
unknown unknown false
150.154.166.225
 unknown United States
11351 TWC-11351-NORTHEASTUS false
185.93.160.208
 unknown Sweden
1257 TELE2EU false
125.1.155.220
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
121.10.230.109
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
2.215.9.178
 unknown Germany
6805 TDDE-ASN1DE false
207.161.86.135
 unknown Canada
7122 MTS-ASNCA false
191.27.245.2
 unknown Brazil
26599 TELEFONICABRASILSABR false
203.81.93.109
 unknown Myanmar
9988 MPT-APMyanmaPostsandTelecommunicationsMM false
242.70.164.178
 unknown Reserved
unknown unknown false
112.78.107.58
 unknown Taiwan; Republic of China (ROC)
45560 TOPNET-IPT-AS-APTOPNETIPTransitASKR false
167.248.21.97
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
166.107.165.208
 unknown United States
394435 ACLIBRARYUS false
213.26.199.179
 unknown Italy
3269 ASN-IBSNAZIT false
96.137.0.254
 unknown United States
7922 COMCAST-7922US false
183.243.61.12
 unknown China
56048 CMNET-BEIJING-APChinaMobileCommunicaitonsCorporationCN false
12.135.213.79
 unknown United States
7018 ATT-INTERNET4US false
121.162.158.224
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
72.244.178.196
 unknown United States
18566 MEGAPATH5-US false
46.244.221.73
 unknown Germany
8767 MNET-ASGermanyDE false
213.235.169.253
 unknown Czech Republic
25512 CDT-ASTheCzechRepublicCZ false
161.146.55.212
 unknown Australia
263740 CorporacionLaceibanetsocietyHN false
194.64.207.225
 unknown Germany
6659 NEXINTO-DE false
191.98.118.7
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO false
83.152.188.197
 unknown France
12322 PROXADFR false
219.235.251.162
 unknown China
9809 NOVANETWORKSHENZHENNOVATECHNOLOGIESDEVELOPMENTLTDCN false
80.251.171.188
 unknown United Kingdom
8220 COLTCOLTTechnologyServicesGroupLimitedGB false
104.134.8.3
 unknown United States
36384 GOOGLE-ITUS false
96.145.155.79
 unknown United States
7922 COMCAST-7922US false
251.177.116.51
 unknown Reserved
unknown unknown false
42.194.216.24
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
213.132.106.76
 unknown Sweden
12552 IPO-EUSE false
62.76.28.60
 unknown Russian Federation
57645 LICARD-ASMoscowRU false
169.22.99.154
 unknown United States
37611 AfrihostZA false
80.154.61.217
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
120.48.122.127
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
163.91.167.124
 unknown France
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
73.119.109.167
 unknown United States
7922 COMCAST-7922US false
79.40.160.187
 unknown Italy
3269 ASN-IBSNAZIT false
220.32.70.26
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
106.79.86.161
 unknown India
45271 ICLNET-AS-APIdeaCellularLimitedIN false
217.77.130.46
 unknown Netherlands
12902 LUNANL false
38.237.211.64
 unknown United States
174 COGENT-174US false