Linux Analysis Report
5FteLLQ1oY.elf

Overview

General Information

Sample name:	5FteLLQ1oY.elf renamed because original name is a hash value
Original sample name:	d9d9bf404ee4d140658b2f84d2924795.elf
Analysis ID:	1529277
MD5:	d9d9bf404ee4d140658b2f84d2924795
SHA1:	281ef5fb0a7e619ebf9f5d35cd33318247060274
SHA256:	c15bcb9b5fbff2d7eeeae1c141b8aee193df7defa6e2e7a96a9033917578bc4c
Tags:	32elfmipsmirai
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 5FteLLQ1oY.elf

ReversingLabs: Detection: 23%

Sample listens on a socket

Source: /tmp/5FteLLQ1oY.elf (PID: 5540)

Socket: 127.0.0.1:1234

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.59.243.227

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 888, result: successful	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 1444, result: successful	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 1599, result: successful	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 1610, result: successful	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 5580, result: successful	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 5583, result: successful	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	SIGKILL sent: pid: 5583, result: no such process	Jump to behavior

Source: classification engine

Classification label: mal48.linELF@0/0@2/0

Enumerates processes within the "proc" file system

Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3762/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3762/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1371/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5608/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1369/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3304/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3304/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3425/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3425/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/940/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/940/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/941/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/941/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1364/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5600/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5601/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5602/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5603/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5604/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5620/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1383/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1382/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1381/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5618/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5619/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5611/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5612/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5613/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5614/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5615/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5616/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3319/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3319/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5617/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/1394/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3329/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3329/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5629/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3207/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3207/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5621/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5622/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/725/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/725/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3687/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/3687/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/5623/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/726/cmdline	Jump to behavior
Source: /tmp/5FteLLQ1oY.elf (PID: 5544)	File opened: /proc/726/cmdline	Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/5FteLLQ1oY.elf (PID: 5540)

Queries kernel information via 'uname':

Jump to behavior

Source: 5FteLLQ1oY.elf, 5540.1.000055e03e828000.000055e03e8d0000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: 5FteLLQ1oY.elf, 5540.1.00007ffd442bb000.00007ffd442dc000.rw-.sdmp	Binary or memory string: ex86_64/usr/bin/qemu-mipsel/tmp/5FteLLQ1oY.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/5FteLLQ1oY.elf
Source: 5FteLLQ1oY.elf, 5540.1.000055e03e828000.000055e03e8d0000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: 5FteLLQ1oY.elf, 5540.1.00007ffd442bb000.00007ffd442dc000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.59.243.227	unknown	United States		395082	BODIS-NJUS	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.24	true

ID:	1529277
Product:	CloudBasic
Start time:	20:18:36
Start date:	08.10.2024
Sample:	5FteLLQ1oY.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	d9d9bf404ee4d140658b2f84d2924795
SHA1:	281ef5fb0a7e619ebf9f5d35cd33318247060274
SHA256:	c15bcb9b5fbff2d7eeeae1c141b8aee193df7defa6e2e7a96a9033917578bc4c
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
5FteLLQ1oY.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report 5FteLLQ1oY.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
5FteLLQ1oY.elf