Linux Analysis Report
arm7.elf

Overview

General Information

Sample name:	arm7.elf
Analysis ID:	1528578
MD5:	f314c4789d08e22f82ccce70bdf649b8
SHA1:	cd311cd4f5b2fdff5ab97208d67b311f47891acb
SHA256:	60ccc1960f28cd5e89c5cd85c44c6a48b9fa83f3f176e3d39a3a0cfb45dd400d
Tags:	user-elfdigest
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Contains symbols with names commonly found in malware

Detected TCP or UDP traffic on non-standard ports

Sample and/or dropped files contains symbols with suspicious names

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm7.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm7.elf	ReversingLabs: Detection: 55%
Source: arm7.elf	Virustotal: Detection: 61%			Perma Link

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 93.123.39.105 ports 38241,1,2,3,4,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:49594 -> 93.123.39.105:38241

Sample listens on a socket

Source: /tmp/arm7.elf (PID: 6220)

Socket: 127.0.0.1:2353

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127

Source: global traffic

DNS traffic detected: DNS query: enemybotnet.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_kill_all
Source: ELF static info symbol of initial sample	Name: attack_ongoing
Source: ELF static info symbol of initial sample	Name: attack_parse
Source: ELF static info symbol of initial sample	Name: attack_start

Sample and/or dropped files contains symbols with suspicious names

Source: arm7.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Source: classification engine

Classification label: mal72.troj.linELF@0/0@4/0

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/arm7.elf (PID: 6220)

Queries kernel information via 'uname':

Jump to behavior

Source: arm7.elf, 6220.1.000055f1870fd000.000055f18724f000.rw-.sdmp, arm7.elf, 6224.1.000055f1870fd000.000055f18722b000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm7.elf, 6220.1.000055f1870fd000.000055f18724f000.rw-.sdmp, arm7.elf, 6224.1.000055f1870fd000.000055f18722b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 6220.1.00007fff34817000.00007fff34838000.rw-.sdmp, arm7.elf, 6224.1.00007fff34817000.00007fff34838000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 6220.1.00007fff34817000.00007fff34838000.rw-.sdmp, arm7.elf, 6224.1.00007fff34817000.00007fff34838000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: arm7.elf, type: SAMPLE

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: arm7.elf, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.123.39.105	enemybotnet.com	Bulgaria	43561	NET1-ASBG	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
enemybotnet.com	93.123.39.105	true

ID:	1528578
Product:	CloudBasic
Start time:	03:05:07
Start date:	08.10.2024
Sample:	arm7.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f314c4789d08e22f82ccce70bdf649b8
SHA1:	cd311cd4f5b2fdff5ab97208d67b311f47891acb
SHA256:	60ccc1960f28cd5e89c5cd85c44c6a48b9fa83f3f176e3d39a3a0cfb45dd400d
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report arm7.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
arm7.elf

Malware Threat Intel
Provided by