Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Analysis ID:	1528444
MD5:	c01e10e582965bf67489c6dde16ce070
SHA1:	dbc8d3db80f8c673bbfbcb7313f38e76d897d5c3
SHA256:	483f83f5af615b216c475681e1773a348d491e0a69f10b7223cd387f2f889e72
Tags:	elf
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Sample scans a subnet

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.228.42 ports 34567,3,4,5,6,7
Source: global traffic	TCP traffic: 5.230.228.44 ports 4443,0,1,2,5,27015,995,7
Source: global traffic	TCP traffic: 5.230.228.62 ports 34567,3,993,4,5,6,3389,7

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/lo/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Sample scans a subnet

Source: ip traffic

Subnet 5.230.228.0/24: 5.230.228.46, 5.230.228.42, 5.230.228.23, 5.230.228.45, 5.230.228.44, 5.230.228.62

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:38288 -> 185.248.144.209:25565
Source: global traffic	TCP traffic: 192.168.2.13:48038 -> 194.156.98.15:7777
Source: global traffic	TCP traffic: 192.168.2.13:33492 -> 94.131.118.154:25565
Source: global traffic	TCP traffic: 192.168.2.13:49060 -> 5.230.228.46:3478
Source: global traffic	TCP traffic: 192.168.2.13:57152 -> 5.230.228.62:34567
Source: global traffic	TCP traffic: 192.168.2.13:58606 -> 5.230.122.80:3389
Source: global traffic	TCP traffic: 192.168.2.13:48480 -> 5.230.228.42:34567
Source: global traffic	TCP traffic: 192.168.2.13:48798 -> 5.230.228.23:35000
Source: global traffic	TCP traffic: 192.168.2.13:60062 -> 5.230.228.44:27015
Source: global traffic	TCP traffic: 192.168.2.13:51152 -> 5.230.229.84:10001
Source: global traffic	TCP traffic: 192.168.2.13:37862 -> 5.230.228.45:18004
Source: global traffic	TCP traffic: 192.168.2.13:58962 -> 5.230.118.247:10001
Source: global traffic	TCP traffic: 192.168.2.13:46966 -> 5.230.171.8:6666

Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.23

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.spre.troj.spyw.evad.linELF@0/0@1/0

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5416)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s			Jump to behavior
Source: /usr/bin/dash (PID: 5417)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.iU1SEy0i9P /tmp/tmp.G57otRedo4 /tmp/tmp.sO0jyoNh1s			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5429)

File: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5429)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf (PID: 5433)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.000055ebf0853000.000055ebf0981000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.000055ebf0853000.000055ebf0981000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.00007fffa67a0000.00007fffa67c1000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf, 5429.1.00007fffa67a0000.00007fffa67c1000.rw-.sdmp	Binary or memory string: Hx86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	false
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.46	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.42	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.23	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.45	unknown	Germany	12586	ASGHOSTNETDE	true
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	false
5.230.228.44	unknown	Germany	12586	ASGHOSTNETDE	true
185.248.144.209	unknown	France	31531	POINT-ASUA	false
5.230.228.62	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.229.84	unknown	Germany	12586	ASGHOSTNETDE	false
194.156.98.15	unknown	Russian Federation	135330	ADCDATACOM-AS-APADCDATACOMHK	false
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	false

Contacted Domains

Name	IP	Active
iranistrash.libre	unknown	unknown

ID:	1528444
Product:	CloudBasic
Start time:	22:44:10
Start date:	07.10.2024
Sample:	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	c01e10e582965bf67489c6dde16ce070
SHA1:	dbc8d3db80f8c673bbfbcb7313f38e76d897d5c3
SHA256:	483f83f5af615b216c475681e1773a348d491e0a69f10b7223cd387f2f889e72
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf