Linux Analysis Report
z3hir.arm7.elf

Overview

General Information

Sample name: z3hir.arm7.elf
Analysis ID: 1526845
MD5: 048385da466c9f3070c1ce5bfca94f44
SHA1: 5740deb42e6c1c0ffb0a76ed81b394ec60ae2947
SHA256: bc5af3f47541449c4fc5ccd5cfbec58592f06e343bd6c337f8b56534cd0ad50f
Tags: user-elfdigest
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: z3hir.arm7.elf ReversingLabs: Detection: 60%
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:54332 -> 103.238.235.110:9375
Sample listens on a socket
Source: /tmp/z3hir.arm7.elf (PID: 5429) Socket: 0.0.0.0:23 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5429) Socket: 0.0.0.0:0 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5429) Socket: 0.0.0.0:80 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5429) Socket: 0.0.0.0:81 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5429) Socket: 0.0.0.0:8443 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5429) Socket: 0.0.0.0:9009 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) Socket: 0.0.0.0:0 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) Socket: 0.0.0.0:80 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) Socket: 0.0.0.0:81 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) Socket: 0.0.0.0:8443 Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) Socket: 0.0.0.0:9009 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 103.238.235.110
Source: unknown TCP traffic detected without corresponding DNS query: 103.238.235.110
Source: unknown TCP traffic detected without corresponding DNS query: 158.63.195.134
Source: unknown TCP traffic detected without corresponding DNS query: 46.13.177.134
Source: unknown TCP traffic detected without corresponding DNS query: 223.44.168.137
Source: unknown TCP traffic detected without corresponding DNS query: 207.156.158.115
Source: unknown TCP traffic detected without corresponding DNS query: 94.144.135.35
Source: unknown TCP traffic detected without corresponding DNS query: 65.189.182.219
Source: unknown TCP traffic detected without corresponding DNS query: 124.156.185.231
Source: unknown TCP traffic detected without corresponding DNS query: 178.100.191.88
Source: unknown TCP traffic detected without corresponding DNS query: 180.104.236.2
Source: unknown TCP traffic detected without corresponding DNS query: 217.59.186.110
Source: unknown TCP traffic detected without corresponding DNS query: 66.51.137.12
Source: unknown TCP traffic detected without corresponding DNS query: 213.141.96.180
Source: unknown TCP traffic detected without corresponding DNS query: 213.116.0.128
Source: unknown TCP traffic detected without corresponding DNS query: 177.163.62.193
Source: unknown TCP traffic detected without corresponding DNS query: 242.205.218.53
Source: unknown TCP traffic detected without corresponding DNS query: 190.191.20.21
Source: unknown TCP traffic detected without corresponding DNS query: 195.41.255.189
Source: unknown TCP traffic detected without corresponding DNS query: 170.120.237.33
Source: unknown TCP traffic detected without corresponding DNS query: 67.113.183.37
Source: unknown TCP traffic detected without corresponding DNS query: 95.126.232.82
Source: unknown TCP traffic detected without corresponding DNS query: 143.17.18.110
Source: unknown TCP traffic detected without corresponding DNS query: 39.40.159.126
Source: unknown TCP traffic detected without corresponding DNS query: 163.120.9.177
Source: unknown TCP traffic detected without corresponding DNS query: 12.171.244.131
Source: unknown TCP traffic detected without corresponding DNS query: 207.115.40.229
Source: unknown TCP traffic detected without corresponding DNS query: 78.140.77.172
Source: unknown TCP traffic detected without corresponding DNS query: 241.162.97.170
Source: unknown TCP traffic detected without corresponding DNS query: 199.40.99.223
Source: unknown TCP traffic detected without corresponding DNS query: 204.245.197.97
Source: unknown TCP traffic detected without corresponding DNS query: 108.140.97.66
Source: unknown TCP traffic detected without corresponding DNS query: 134.253.189.111
Source: unknown TCP traffic detected without corresponding DNS query: 247.59.171.176
Source: unknown TCP traffic detected without corresponding DNS query: 92.180.211.248
Source: unknown TCP traffic detected without corresponding DNS query: 31.123.60.209
Source: unknown TCP traffic detected without corresponding DNS query: 219.247.189.244
Source: unknown TCP traffic detected without corresponding DNS query: 255.209.140.242
Source: unknown TCP traffic detected without corresponding DNS query: 109.135.74.212
Source: unknown TCP traffic detected without corresponding DNS query: 126.92.254.221
Source: unknown TCP traffic detected without corresponding DNS query: 171.6.178.217
Source: unknown TCP traffic detected without corresponding DNS query: 103.55.8.111
Source: unknown TCP traffic detected without corresponding DNS query: 169.121.217.35
Source: unknown TCP traffic detected without corresponding DNS query: 93.170.83.107
Source: unknown TCP traffic detected without corresponding DNS query: 197.4.216.194
Source: unknown TCP traffic detected without corresponding DNS query: 156.131.88.83
Source: unknown TCP traffic detected without corresponding DNS query: 201.103.17.22
Source: unknown TCP traffic detected without corresponding DNS query: 158.224.100.194
Source: unknown TCP traffic detected without corresponding DNS query: 34.232.84.99
Source: unknown TCP traffic detected without corresponding DNS query: 108.155.205.250
Source: z3hir.arm7.elf String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5427.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5427.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5431.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5431.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5437.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5437.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Sample tries to kill a process (SIGKILL)
Source: /tmp/z3hir.arm7.elf (PID: 5429) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) SIGKILL sent: pid: 5429, result: successful Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) SIGKILL sent: pid: 765, result: successful Jump to behavior
Yara signature match
Source: 5427.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5427.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5431.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5431.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5437.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5437.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: classification engine Classification label: mal76.troj.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Enumerates processes within the "proc" file system
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3122/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3122/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3117/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3117/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3114/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3114/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3633/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/914/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/914/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/914/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/518/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/519/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/917/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/917/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/917/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3772/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3134/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3134/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3375/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3132/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3132/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3095/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3095/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1745/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1745/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1866/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1866/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1588/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1588/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/884/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/884/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/884/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1982/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1982/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/765/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/765/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/765/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3246/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/800/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/800/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/800/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/767/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/767/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/767/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/5269/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1906/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1906/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/802/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/802/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/802/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/803/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/803/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/803/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1748/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1748/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/5429/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3420/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1482/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1482/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/490/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/490/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/490/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1480/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1480/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1755/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1755/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1238/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1875/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1875/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/2964/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3413/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1751/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1751/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1872/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/2961/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/2961/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1475/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/656/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/778/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/778/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/778/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/657/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/658/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/659/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/418/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/936/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/936/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/936/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/419/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/816/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/816/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/816/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1879/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1879/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1891/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/1891/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3310/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3153/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/3153/exe Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/780/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/780/fd Jump to behavior
Source: /tmp/z3hir.arm7.elf (PID: 5435) File opened: /proc/780/exe Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: z3hir.arm7.elf Submission file: segment LOAD with 7.9689 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/z3hir.arm7.elf (PID: 5427) Queries kernel information via 'uname': Jump to behavior
Source: z3hir.arm7.elf, 5427.1.000056121b22f000.000056121b35d000.rw-.sdmp, z3hir.arm7.elf, 5431.1.000056121b22f000.000056121b35d000.rw-.sdmp, z3hir.arm7.elf, 5437.1.000056121b22f000.000056121b35d000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: z3hir.arm7.elf, 5427.1.000056121b22f000.000056121b35d000.rw-.sdmp, z3hir.arm7.elf, 5431.1.000056121b22f000.000056121b35d000.rw-.sdmp, z3hir.arm7.elf, 5437.1.000056121b22f000.000056121b35d000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/arm
Source: z3hir.arm7.elf, 5427.1.00007ffd37e59000.00007ffd37e7a000.rw-.sdmp, z3hir.arm7.elf, 5431.1.00007ffd37e59000.00007ffd37e7a000.rw-.sdmp, z3hir.arm7.elf, 5437.1.00007ffd37e59000.00007ffd37e7a000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: z3hir.arm7.elf, 5427.1.00007ffd37e59000.00007ffd37e7a000.rw-.sdmp, z3hir.arm7.elf, 5431.1.00007ffd37e59000.00007ffd37e7a000.rw-.sdmp, z3hir.arm7.elf, 5437.1.00007ffd37e59000.00007ffd37e7a000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/z3hir.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/z3hir.arm7.elf

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 5427.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5431.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5437.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z3hir.arm7.elf PID: 5427, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z3hir.arm7.elf PID: 5431, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 5427.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5431.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5437.1.00007f3720017000.00007f372002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z3hir.arm7.elf PID: 5427, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z3hir.arm7.elf PID: 5431, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
221.3.180.97
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
84.101.74.24
 unknown France
15557 LDCOMNETFR false
141.71.212.30
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
102.140.139.149
 unknown Gambia
25250 GAMTEL-ASGM false
198.94.43.105
 unknown United States
3356 LEVEL3US false
83.166.230.142
 unknown Russian Federation
24936 RIM2000M-AS2OdesskayastrRU false
142.232.245.47
 unknown Canada
4476 BCITCA false
177.183.68.110
 unknown Brazil
28573 CLAROSABR false
76.123.120.199
 unknown United States
7922 COMCAST-7922US false
209.69.67.174
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
148.197.201.98
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
143.24.255.34
 unknown United States
264008 LANCAMANTOANISERVICOSDEINFORMATICALTDA-MEBR false
147.152.190.162
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
65.120.120.53
 unknown United States
27235 CVC-INET-33US false
221.158.192.150
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
145.40.15.99
 unknown Netherlands
34108 BREEDBANDDELFTNL false
39.105.115.14
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
182.210.90.164
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
190.82.10.0
 unknown Chile
7418 TELEFONICACHILESACL false
120.170.161.95
 unknown Indonesia
4761 INDOSAT-INP-APINDOSATInternetNetworkProviderID false
133.122.83.200
 unknown Japan 2522 PPP-EXPJapanNetworkInformationCenterJP false
211.95.190.163
 unknown China
135061 UNICOM-SHENZHEN-IDCChinaUnicomGuangdongIPnetworkCN false
77.116.146.91
 unknown Austria
25255 H3G-AUSTRIA-ASTELE2AUSTRIAAT false
211.38.45.224
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
209.105.198.205
 unknown Canada
25636 ONTL-2002CA false
135.149.155.143
 unknown Singapore
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
2.171.172.67
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
109.154.53.243
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
219.151.170.138
 unknown China
134420 CHINATELECOM-CHONGQING-IDCChongqingTelecomCN false
181.59.157.128
 unknown Colombia
10620 TelmexColombiaSACO false
104.59.50.212
 unknown United States
7018 ATT-INTERNET4US false
113.30.216.231
 unknown India
9971 DONGDAEMUNCABLEINTERNET-AS-KRTBROADDongdaemuncablenetwor false
180.217.64.122
 unknown Taiwan; Republic of China (ROC)
24157 VIBO-NET-ASTaiwanStarTelecomCorporationLimitedFormer false
155.244.169.93
 unknown United States
668 DNIC-AS-00668US false
151.29.4.247
 unknown Italy
1267 ASN-WINDTREIUNETEU false
42.47.173.198
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
212.101.171.179
 unknown Slovenia
28933 LTFE-ASSI false
170.199.31.111
 unknown Canada
7122 MTS-ASNCA false
70.223.83.96
 unknown United States
22394 CELLCOUS false
182.196.112.230
 unknown Korea Republic of
6619 SAMSUNGSDS-AS-KRSamsungSDSIncKR false
146.45.88.110
 unknown United States
197938 TRAVIANGAMESDE false
32.114.221.238
 unknown United States
2687 ATGS-MMD-ASUS false
43.109.200.173
 unknown Japan 4249 LILLY-ASUS false
157.65.249.91
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
169.242.216.249
 unknown United States
47024 THE-METROHEALTH-SYSTEMUS false
48.136.74.202
 unknown United States
2686 ATGS-MMD-ASUS false
197.24.121.202
 unknown Tunisia
37693 TUNISIANATN false
90.225.178.126
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
114.247.173.196
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
130.228.56.112
 unknown Denmark
9158 TELENOR_DANMARK_ASDK false
194.132.198.137
 unknown Sweden
5601 KungligaTekniskaHogskolanSE false
193.35.139.80
 unknown United Kingdom
12576 EELtdGB false
23.168.186.175
 unknown Reserved
19681 DIGGIOUS false
159.149.141.13
 unknown Italy
137 ASGARRConsortiumGARREU false
90.2.19.233
 unknown France
3215 FranceTelecom-OrangeFR false
64.230.125.58
 unknown Canada
577 BACOMCA false
100.46.138.198
 unknown United States
14654 WAYPORTUS false
62.203.181.212
 unknown Switzerland
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
99.143.31.250
 unknown United States
7018 ATT-INTERNET4US false
163.46.37.94
 unknown Japan 18126 CTCXChubuTelecommunicationsCompanyIncJP false
99.155.164.253
 unknown United States
7018 ATT-INTERNET4US false
43.131.182.182
 unknown Japan 4249 LILLY-ASUS false
65.13.97.7
 unknown United States
7018 ATT-INTERNET4US false
122.184.236.71
 unknown India
9498 BBIL-APBHARTIAirtelLtdIN false
148.65.1.224
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS false
244.145.87.236
 unknown Reserved
unknown unknown false
42.93.206.26
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
191.187.139.253
 unknown Brazil
28573 CLAROSABR false
211.117.141.106
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
81.233.95.22
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
20.253.166.57
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
245.178.154.206
 unknown Reserved
unknown unknown false
64.243.102.110
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS false
9.238.145.132
 unknown United States
3356 LEVEL3US false
31.14.222.193
 unknown Romania
42568 DPNETBucharestInsulei4RO false
142.27.121.140
 unknown Canada
3633 PROVINCE-OF-BRITISH-COLUMBIACA false
144.73.55.159
 unknown United States
14349 KCPLASN-1US false
103.129.159.210
 unknown Australia
138184 AINPL-AS-APActivICTNetworksPTYLtdAU false
147.158.37.54
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
136.104.63.237
 unknown United States
60311 ONEFMCH false
130.251.90.201
 unknown Italy
137 ASGARRConsortiumGARREU false
199.10.94.46
 unknown United States
397086 LAYER-HOST-HOUSTONUS false
87.74.162.81
 unknown United Kingdom
25310 ASN-CWACCESSGB false
252.7.12.151
 unknown Reserved
unknown unknown false
109.47.104.49
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
168.93.204.118
 unknown United States
16399 FIRSTCOMM-AS2US false
111.160.42.195
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
17.180.213.59
 unknown United States
714 APPLE-ENGINEERINGUS false
96.18.137.8
 unknown United States
11492 CABLEONEUS false
253.108.249.61
 unknown Reserved
unknown unknown false
68.250.35.64
 unknown United States
7018 ATT-INTERNET4US false
102.139.107.178
 unknown Cote D'ivoire
36974 AFNET-ASCI false
45.251.184.80
 unknown China
58668 BD-LINK-BDBDLinkCommunicationLtdBD false
187.32.189.90
 unknown Brazil
16735 ALGARTELECOMSABR false
216.252.107.80
 unknown United States
36646 YAHOO-NE1US false
159.200.99.195
 unknown Sweden
131090 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT false
151.227.4.74
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
248.21.64.168
 unknown Reserved
unknown unknown false
216.149.169.18
 unknown United States
2828 XO-AS15US false
151.187.115.95
 unknown Norway
2116 ASN-CATCHCOMNO false