Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf

Overview

General Information

Sample name: SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf
Analysis ID: 1528452
MD5: 20e936a36fac2fccaa27d081556cda28
SHA1: b177cfe525b78f07f97bb031165f5704579ec752
SHA256: 88caf6c4d21f2ed55c56aa451d3fced4b7f24248a9d196af588d644e5ea8d400
Tags: elf
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Connects to many ports of the same IP (likely port scanning)
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample scans a subnet
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 5.230.122.82 ports 2022,3,993,7,37777,1935
Source: global traffic TCP traffic: 5.230.122.80 ports 35000,34567,3,4,554,27014,5,6,7
Source: global traffic TCP traffic: 5.230.229.83 ports 5222,2,3,4,7,3724
Source: global traffic TCP traffic: 5.230.228.62 ports 2,3,993,4,7,10001,3724
Source: global traffic TCP traffic: 194.156.98.15 ports 34567,3,443,4,5,6,7
Opens /sys/class/net/* files useful for querying network interface information
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5448) Opens: /sys/class/net/ Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5448) Opens: /sys/class/net/lo/address Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5448) Opens: /sys/class/net/ens160/address Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5448) Opens: /sys/class/net/ens160/flags Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5448) Opens: /sys/class/net/ens160/carrier Jump to behavior
Sample scans a subnet
Source: ip traffic Subnet 5.230.228.0/24: 5.230.228.47, 5.230.228.42, 5.230.228.23, 5.230.228.44, 5.230.228.62
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:57436 -> 5.230.122.80:34567
Source: global traffic TCP traffic: 192.168.2.13:33740 -> 5.230.228.62:3724
Source: global traffic TCP traffic: 192.168.2.13:33782 -> 5.230.118.247:9000
Source: global traffic TCP traffic: 192.168.2.13:55364 -> 5.230.171.9:5000
Source: global traffic TCP traffic: 192.168.2.13:49748 -> 5.230.122.81:554
Source: global traffic TCP traffic: 192.168.2.13:38452 -> 5.230.228.44:10554
Source: global traffic TCP traffic: 192.168.2.13:40298 -> 5.230.122.82:37777
Source: global traffic TCP traffic: 192.168.2.13:59748 -> 185.248.144.209:993
Source: global traffic TCP traffic: 192.168.2.13:54706 -> 194.156.98.15:34567
Source: global traffic TCP traffic: 192.168.2.13:36506 -> 5.230.228.47:5000
Source: global traffic TCP traffic: 192.168.2.13:37776 -> 5.230.229.83:3724
Source: global traffic TCP traffic: 192.168.2.13:42252 -> 5.230.228.23:7000
Source: global traffic TCP traffic: 192.168.2.13:56458 -> 5.230.228.42:9000
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.171.9
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.62
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.118.247
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: unknown TCP traffic detected without corresponding DNS query: 185.248.144.209
Source: global traffic DNS traffic detected: DNS query: iranistrash.libre
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56326
Source: unknown Network traffic detected: HTTP traffic on port 56326 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.spre.troj.spyw.evad.linELF@0/0@1/0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5446) File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5446) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf (PID: 5448) Queries kernel information via 'uname': Jump to behavior
Source: SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf, 5446.1.00007fffd46ac000.00007fffd46cd000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf
Source: SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf, 5446.1.000055e6c7d7f000.000055e6c7e2f000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf, 5446.1.000055e6c7d7f000.000055e6c7e2f000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: SecuriteInfo.com.ELF.Mirai-CVD.30330.5069.elf, 5446.1.00007fffd46ac000.00007fffd46cd000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc

HIPS / PFW / Operating System Protection Evasion
barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: iranistrash.libre

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.230.171.9
 unknown Germany
12586 ASGHOSTNETDE false
5.230.122.81
 unknown Germany
12586 ASGHOSTNETDE false
5.230.122.82
 unknown Germany
12586 ASGHOSTNETDE true
5.230.122.80
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.47
 unknown Germany
12586 ASGHOSTNETDE true
172.217.192.127
 unknown United States
15169 GOOGLEUS false
5.230.228.42
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.23
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.44
 unknown Germany
12586 ASGHOSTNETDE true
185.248.144.209
 unknown France
31531 POINT-ASUA false
5.230.229.83
 unknown Germany
12586 ASGHOSTNETDE true
5.230.228.62
 unknown Germany
12586 ASGHOSTNETDE true
194.156.98.15
 unknown Russian Federation
135330 ADCDATACOM-AS-APADCDATACOMHK true
5.230.118.247
 unknown Germany
12586 ASGHOSTNETDE false

Contacted Domains

Name IP Active
iranistrash.libre unknown unknown