Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf

Overview

General Information

Sample name: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Analysis ID: 1528446
MD5: 5d959c2b7278b8c8b2c4a3f1554bb96e
SHA1: a2ff0e2fd22b31f16f2b3bcc7a3e5ac61c03f5d0
SHA256: 727d897cbf2466bc6390ec82e4056aa5047597390719fd1c556fef01303d91bd
Tags: elf
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Connects to many ports of the same IP (likely port scanning)
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample scans a subnet
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 5.230.171.8 ports 22022,3,4,3478,3544,7,8
Source: global traffic TCP traffic: 5.230.122.80 ports 7000,34567,3,4,5,6,3389,7
Source: global traffic TCP traffic: 94.131.118.154 ports 35000,0,1,2,4,27014,7
Opens /sys/class/net/* files useful for querying network interface information
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628) Opens: /sys/class/net/ Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628) Opens: /sys/class/net/ens160/address Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628) Opens: /sys/class/net/ens160/flags Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628) Opens: /sys/class/net/ens160/carrier Jump to behavior
Sample scans a subnet
Source: ip traffic Subnet 5.230.228.0/24: 5.230.228.47, 5.230.228.46, 5.230.228.42, 5.230.228.44, 5.230.228.62
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:34592 -> 185.248.144.209:7000
Source: global traffic TCP traffic: 192.168.2.15:56206 -> 5.230.171.8:3478
Source: global traffic TCP traffic: 192.168.2.15:60560 -> 5.230.228.44:10001
Source: global traffic TCP traffic: 192.168.2.15:49554 -> 5.230.171.9:7777
Source: global traffic TCP traffic: 192.168.2.15:45434 -> 194.156.98.15:993
Source: global traffic TCP traffic: 192.168.2.15:39694 -> 5.230.228.47:2022
Source: global traffic TCP traffic: 192.168.2.15:55080 -> 5.230.122.80:34567
Source: global traffic TCP traffic: 192.168.2.15:50404 -> 5.230.228.46:2022
Source: global traffic TCP traffic: 192.168.2.15:60072 -> 5.230.122.82:3389
Source: global traffic TCP traffic: 192.168.2.15:33758 -> 5.230.228.62:993
Source: global traffic TCP traffic: 192.168.2.15:37800 -> 94.131.118.154:27014
Source: global traffic TCP traffic: 192.168.2.15:41856 -> 5.230.228.42:19153
Source: global traffic TCP traffic: 192.168.2.15:50728 -> 5.230.118.247:9000
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: global traffic DNS traffic detected: DNS query: iranistrash.libre
Source: unknown Network traffic detected: HTTP traffic on port 60874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60874
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.spre.troj.spyw.evad.linELF@0/0@1/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5605) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2 Jump to behavior
Source: /usr/bin/dash (PID: 5606) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O4CuIEpsBu /tmp/tmp.vVFwAXA4E6 /tmp/tmp.brf0F1ZgS2 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5624) File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5624) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf (PID: 5628) Queries kernel information via 'uname': Jump to behavior
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.000055bd1bb5c000.000055bd1bbc1000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sparc
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.000055bd1bb5c000.000055bd1bbc1000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.00007ffd67511000.00007ffd67532000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf
Source: SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf, 5624.1.00007ffd67511000.00007ffd67532000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sparc

HIPS / PFW / Operating System Protection Evasion
barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: iranistrash.libre
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.230.171.9
 unknown Germany
12586 ASGHOSTNETDE false
5.230.171.8
 unknown Germany
12586 ASGHOSTNETDE true
5.230.122.82
 unknown Germany
12586 ASGHOSTNETDE false
5.230.122.80
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.47
 unknown Germany
12586 ASGHOSTNETDE true
172.217.192.127
 unknown United States
15169 GOOGLEUS false
5.230.228.46
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.42
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.44
 unknown Germany
12586 ASGHOSTNETDE true
94.131.118.154
 unknown Ukraine
29632 NASSIST-ASGI true
185.248.144.209
 unknown France
31531 POINT-ASUA false
5.230.228.62
 unknown Germany
12586 ASGHOSTNETDE true
194.156.98.15
 unknown Russian Federation
135330 ADCDATACOM-AS-APADCDATACOMHK false
5.230.118.247
 unknown Germany
12586 ASGHOSTNETDE false

Contacted Domains

Name IP Active
iranistrash.libre unknown unknown