Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

Overview

General Information

Sample name: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf
Analysis ID: 1528448
MD5: 8b9271e97511d016923b7b5cda550be4
SHA1: 2c6311e0011326299798f5c4db044694e5cc55b9
SHA256: 82f6378b7d0a0849566db8a5e28462ff623952666bfb1eb507937cc5f41edcc4
Tags: elf
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample scans a subnet
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf ReversingLabs: Detection: 18%

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 5.230.171.8 ports 6036,0,1,2,4,27014,995,7,2222
Source: global traffic TCP traffic: 5.230.122.82 ports 0,1,2,5,27015,7
Source: global traffic TCP traffic: 5.230.228.62 ports 7000,25565,2022,0,7,6666
Source: global traffic TCP traffic: 5.230.229.84 ports 7000,22022,19153,1,3,5,9
Opens /sys/class/net/* files useful for querying network interface information
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435) Opens: /sys/class/net/ Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435) Opens: /sys/class/net/lo/address Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435) Opens: /sys/class/net/ens160/address Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435) Opens: /sys/class/net/ens160/flags Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435) Opens: /sys/class/net/ens160/carrier Jump to behavior
Sample scans a subnet
Source: ip traffic Subnet 5.230.228.0/24: 5.230.228.47, 5.230.228.42, 5.230.228.23, 5.230.228.45, 5.230.228.44, 5.230.228.62
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:39220 -> 5.230.228.62:7000
Source: global traffic TCP traffic: 192.168.2.13:33802 -> 5.230.171.9:2222
Source: global traffic TCP traffic: 192.168.2.13:39254 -> 5.230.229.84:19153
Source: global traffic TCP traffic: 192.168.2.13:41774 -> 5.230.228.23:3389
Source: global traffic TCP traffic: 192.168.2.13:49070 -> 5.230.122.81:4444
Source: global traffic TCP traffic: 192.168.2.13:38068 -> 5.230.228.47:7000
Source: global traffic TCP traffic: 192.168.2.13:43234 -> 5.230.122.82:27015
Source: global traffic TCP traffic: 192.168.2.13:37380 -> 5.230.228.44:10001
Source: global traffic TCP traffic: 192.168.2.13:49598 -> 5.230.228.42:3544
Source: global traffic TCP traffic: 192.168.2.13:50856 -> 5.230.228.45:995
Source: global traffic TCP traffic: 192.168.2.13:35088 -> 5.230.118.247:2022
Source: global traffic TCP traffic: 192.168.2.13:58884 -> 185.248.144.209:5222
Source: global traffic TCP traffic: 192.168.2.13:53086 -> 5.230.171.8:27014
Source: global traffic TCP traffic: 192.168.2.13:43070 -> 5.230.122.80:6036
Source: global traffic TCP traffic: 192.168.2.13:50858 -> 5.230.229.83:3074
Source: global traffic TCP traffic: 192.168.2.13:58134 -> 94.131.118.154:27050
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.23
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.47
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: global traffic DNS traffic detected: DNS query: iranistrash.libre
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal68.spre.troj.spyw.evad.linELF@0/0@1/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5420) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz Jump to behavior
Source: /usr/bin/dash (PID: 5421) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.8XdmNNwT1M /tmp/tmp.tOkt8QfLSy /tmp/tmp.BFzqVQDLVz Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5433) File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5433) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf (PID: 5435) Queries kernel information via 'uname': Jump to behavior
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00005639e3c60000.00005639e3dae000.rw-.sdmp Binary or memory string: 9V!/etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00005639e3c60000.00005639e3dae000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00007ffc2a66d000.00007ffc2a68e000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf, 5433.1.00007ffc2a66d000.00007ffc2a68e000.rw-.sdmp Binary or memory string: #x86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.17384.13664.elf

HIPS / PFW / Operating System Protection Evasion
barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: iranistrash.libre

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.230.171.9
 unknown Germany
12586 ASGHOSTNETDE false
5.230.171.8
 unknown Germany
12586 ASGHOSTNETDE true
5.230.122.81
 unknown Germany
12586 ASGHOSTNETDE false
5.230.122.82
 unknown Germany
12586 ASGHOSTNETDE true
5.230.122.80
 unknown Germany
12586 ASGHOSTNETDE false
5.230.228.47
 unknown Germany
12586 ASGHOSTNETDE true
172.217.192.127
 unknown United States
15169 GOOGLEUS false
5.230.228.42
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.23
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.45
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.44
 unknown Germany
12586 ASGHOSTNETDE true
94.131.118.154
 unknown Ukraine
29632 NASSIST-ASGI false
185.248.144.209
 unknown France
31531 POINT-ASUA false
5.230.229.83
 unknown Germany
12586 ASGHOSTNETDE false
5.230.228.62
 unknown Germany
12586 ASGHOSTNETDE true
5.230.229.84
 unknown Germany
12586 ASGHOSTNETDE true
5.230.118.247
 unknown Germany
12586 ASGHOSTNETDE false

Contacted Domains

Name IP Active
iranistrash.libre unknown unknown